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Preface 



This book contains a selection of papers presented at the third annual workshop 
of the Esprit Working Group 21900 Types, which was held 12 - 16 June 1999 
at Lokeberg in the rural area north of Goteborg and close to Marstrand. It was 
attended by 77 researchers. 

The two previous workshops of the working group were held in Aussois, 
France, in December 1996 and in Irsee, Germany, in March 1998. The procee- 
dings of those workshops appear as LNGS Vol. 1512 (edited by Ghristine Paulin- 
Mohring and Eduardo Gimenez) and LNGS Vol. 1657 (edited by Thorsten Al- 
tenkirch, Wolfgang Naraschewski, and Bernhard Reus). 

These workshops are, in turn, a continuation of the meetings organized in 
1993, 1994, and 1995 under the auspices of the Esprit Basic Research Action 
6453 Types for Proofs and Programs. Those proceedings were also published 
in the LNGS series, edited by Henk Barendregt and Tobias Nipkow (Vol. 806, 
1993), by Peter Dybjer, Bengt Nordstrom, and Jan Smith (Vol. 996, 1994) and 
by Stefano Berardi and Mario Goppo (Vol. 1158, 1995). The Esprit BRA 6453 
was a continuation of the former Esprit Action 3245 Logical Frameworks: De- 
sign, Implementation and Experiments. The articles from the annual workshops 
organized under that Action were edited by Gerard Huet and Gordon Plotkin 
in the books Logical Frameworks and Logical Environments, both published by 
Gambridge University Press. 
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Specification and Verification of a Formal 
System for Structurally Recursive Functions 



Andreas Abel 

Department of Computer Science, University of Munich 
abe 1@ inf ormat ik . uni -muenchen . de 



Abstract. A type theoretic programming language is introduced that is 
based on lambda calculus with coproducts, products and inductive types, 
and additionally allows the definition of recursive functions in the way 
that is common in most functional programming languages. A formal 
system is presented that checks whether such a definition is structurally 
recursive and a soundness theorem is shown for this system. Thus all 
functions passing this check are ensured to terminate on all inputs. For 
the moment only non-mutual recursive functions are considered. 



1 Introduction 

In lambda calculi with inductive types the standard means to construct a fun- 
ction over an inductive type is the recursor. This method, however, has several 
drawbacks, as discussed, e.g., in [Coq92]. One of them is that it is not very in- 
tuitive: For instance it is not obvious how to code the following “division by 
2” -function with recursors: 

half 0 =0 

half 1 =0 

half n-|-2 = (half n)-|-l 

Therefore an alternative approach has been investigated: recursive definitions 
with pattern matching, as they are common in nearly all functional programming 
languages. To define total functions, they have to satisfy two conditions: 

1. The patterns have to be exhaustive and mutually exclusive. We will not 
focus on this point further since the foetus language we introduce in Sect. 2 
uses only case expressions and thus this condition is always fulfilled. For a 
discussion see [Coq92]. 

2. The definition must be well-founded, which means that for all arguments the 
function value has a well-founded computation tree. This can be ensured if 
one can give a termination ordering for that function, i.e., a ordering with 
respect to which its arguments in each recursive call are smaller than the 
input parameters of that function. 
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We will restrict ourselves to structural orderings, since they can be checked au- 
tomatically and still allow the definition of a large number of total functions di- 
rectly. By introducing an extra wellfounded argument (which is decreased struc- 
turally in each recursive call), one can code any function that can be proven 
total in Martin-Lof’s Type Theory (MLTT [Mar 84]) or an equivalent system. 

We say an expression s is structurally smaller than an expression t if s appears 
in the computation tree of t. Sometimes this is called “component relation”. 

In [Abe98] the implementation of the termination checker foetus has been 
presented. This checker, which accepts structurally recursive functions of the 
kind described above, has been reimplemented as part of Agda by C. Coquand 
[Coq99j. In [AA99] a semantics for the foetus language has been defined, and for 
all types the wellfoundedness wrt. the structural ordering on values has been pro- 
ven. Furthermore a function has been defined to be (semantically) structurally 
recursive if it terminates on input value w under the condition that it terminates 
on all values v that are smaller than w wrt. a structural ordering on the value 
domain. Thus we could prove termination for all terms by assuming that all 
named functions are structurally recursive. 

This article is meant to close a gap that has remained in [AA99] . For it to be 
self-contained, we repeat the definitions of the foetus language, operational and 
value semantics as far as we refer to them in this presentation. (Old definitions 
are laid out in tables.) The new contributions start with a formalization of the 
termination checker in the form of a predicate “sr” (syntactically structurally 
recursive) on terms. This extends the derivation system for structural ordering 
on terms. First we will show that the ordering on terms is reflected by that on 
the values, i.e., evaluation preserves the ordering. Second we will prove that all 
functions captured by the sr-predicate are indeed total, i.e., that they terminate 
on all inputs. Thus we establish the soundness of our system formally. 

At the moment we exclude mutually recursive functions, since they require 
more sophisticated concepts. For non-mutual recursion — which we will treat 
here — the proof is beautiful in its straightforwardness. The specification consists 
mostly of strictly positive inductive definitions, and the proof is constructive. 
Also, since most details have been completely formalized, we can almost directly 
implement it in a system like MLTT. On the final theorem, “all closed terms 
evaluate to a good value”, we can apply program extraction. Thus we would 
obtain an interpreter for the lambda calculus with inductive types and recursive 
functions, for which termination is verified. 

1.1 Related Work 

Gimenez also presents a syntactic criterion for structural recursion which he calls 
“guarded-by-destructors” [Gim95]. He gives, however, no proof for the soundness 
of his criterion. Furthermore we believe that our approach is more concise and 
more flexible in how functions can be defined. 

Jouannaud, Okada [J097] and later also Blanqui [BJOOO] deal with inductive 
types, too, but in the area of extensible term rewriting systems. Since they also 
do not handle mutual recursion, our present approach seems to have the same 
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expressive power than their Extended General Schema. But both approaches 
differ considerably in the notion of a recursive call with a smaller argument. 

Telford and Turner [TT99] are investigating Strong Functional Programming, 
i.e., functional programming languages where only terminating functions can 
be defined. Technically they use abstract interpretations to ensure termination. 
Since they count constructors and destructors, they can handle a wider class of 
functions. I consider their approach as very promising but it seems that it is not 
yet fully formalized and verified. Maybe the ideas of my work presented here 
could be transferred to their approach. 

Christoph Walther has invented reduction checking, which is sometimes re- 
ferred to as “Walther recursion” [MA96]. Here functions are not only examined 
whether they are terminating, but also whether they are reducers or preservers, 
i.e., whether the output of the function is (strictly) smaller than the input. This 
information can be used to check termination of nested recursive functions or 
just for functions which decrease their input via a previously defined function in 
a recursive call. It seems that my system could be extended to reduction checking 
in a straightforward way, since I already use assumptions (dependencies) in my 
judgements (see Def. 5). 

Finally, Pientka and Pfenning [PPOO] have implemented termination and re- 
duction checking for the Twelf system [PS98] based on LF [HHP93]. Although 
coming from the realm of logic programming, their formal system that imple- 
ments the check is similar to mine. However, theirs is constructor based and 
mine is destructor based. They justify the stringency of their system by a cut 
admissibility proof, but have not shown soundness yet. 

In comparision with the work discussed above, the main contribution of this 
article is giving a clear and straightforward soundness proof for my system, based 
on a semantics for the judgements of my formal system. 

1.2 Notational Conventions 

We are using vectors to simplify our notation. If we have a family of (meta) 
expressions E\,E 2 , ■ ■ ■ , En we write E for the whole sequence. S'„ denotes the 
set of permutations on {1, . . . , n}. Furthermore we use the denotations 



A, r, z 


for 


type variables 


p, a, T 


for 


types 


9, X, y, z 


for 


term variables 


r, s, t, a 


for 


terms 


f, U, V, w 


for 


values 


c 


for 


closures 


e 


for 


environments 


Pj Q 


for 


atoms (containing a relation between terms) 



We use rule notation for inductive definitions, but also for propositions (cf. 
Lemma 1). On top of the bar we put the premises and on bottom the conclu- 
sion(s), in both cases to be read as a conjunction. 
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2 The foetus Language and Its Semantics 

In [AA99] we already introduced the term language foetus and its semantics. 
Here we will only briefly repeat the definitions and main results (see Tables 2 
and 3). The types are constructed by type variables X,Y,Z,... and the type con- 
structors S (finite sum), 77 (finite product), — >■ (function space) and fj, (strictly 
positive inductive type). 



Table 2. 



The foetus Language Types Ty(JC) (over a finite list of type variables X) 

T, (7, (T Xi I X(T I Tier | cr ^ r | ^Xn.<7 precedence: 77, U, ii 

0 := U() empty sum 

1 := 77() empty product 

Ty := Ty() closed types 



Contexts 



r — , . ■ . , G Cxt 

Terms Tm'^fT] of closed type <7 in context F 
r G Cxt X ^ r 

(var) (weak) 

X G Tm^[T, x^] 

t G Tm^^J [T] cr G Ty 

(in) (case) 

itijli) e Tm^'^T] 

ti G Tm^'^[r'] for 1 < i < n 

(tup) (pi) 

(ti, . . . ,t„) G Tm"'"[r] 

t G T [F, x^\ 

(lam) (rec) 

Xx^ .t G Tm'^~^'^[T'] 



Xj pairwise distinct 



t G Tm‘^[r] x ^ F 
t G T [T, x^\ 

t G Tm'^'^[r] ti G Tm'’[C,a;"d 
case(t, .ti, . . . , .tn) G T m^[C] 
t G Tm^'^[r] 

Pb(t) G Tm^t [r] 



t G Tm^[r, 

jy 17 CT — / n<T\ 

fun g (X ) 



h g(x) sr f 



= t G 



(app) 



f G Tm‘'^^[r] sGTru^fr] 
t s G T [F] 



f G f G Tm^^'"[r] 

(fold) (unfold) 

fold(t) G Tm'‘^ ‘'[r] unfold(t) G [F] 

Syntactic sugar for fun g{y^^) — t[xi :=pij^(y),...,ain pi^ (y)] 

t G Tm^[_T, , . . . , x'^^] h g{y) sr t[xi pii(y), . . . , ain pin(y)] 

fun , . . . , x'^'^) =t G [F] 
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2.1 Recursive Terms 

The terms inhabiting closed types are the terms of a lambda calculus with sums 
and products plus folding and unfolding for inductive types plus structurally 
recursive terms (see Table 2). Here fold and unfold establish the isomorphism 
between fxX.a and a{^X.a). The rule (rec) introduces a recursive term resp. 
named function that solves the equation g = Xx.t in place of g} We require the 
argument of g to be of product type to simplify the handling of lexicographic 
termination orderings.^ 

In the function body t the identifier g may only appear structurally recursive 
with respect to parameter x. This property is ensured by the judgement 

A h g{x) sr t 

Read “under the dependencies A the function g with parameter x is structurally 
recursive in t”. For example the following judgement is valid 

x' X h g{x) sr gx' 

which expresses that a recursive call g x' in a, function g is admissible for the 
function g(x) to be structurally recursive, if the argument x' of the call is stric- 
tly smaller than the parameter x of the function. A function g is structurally 
recursive, if it is structurally recursive in its whole body t under no assumptions 
(dependencies), i.e., if all calls are decreasing. 

We will present the proof rules for and sr in Sect. 3. The intention is 
that is defined simultaneously with the terms. 



2.2 Operational Semantics 

We define a big step operational semantics “j,” as a relation between closures and 
values. The intention behind values is that they are the results of the evaluation 
process. Closures are (open) terms paired with a mapping of the free variables 
to values (environment). Closures of the form f@u (value applied to values) are 
convenient to define the operational semantics without casting values back to 
terms. 

Table 3 presents the operational semantics. (For reasons of readability we 
leave out type and context annotations wherever possible.) Our strategy is call- 
by- value (see rule (opapp)) and we do not evaluate under A and recursive terms 
(see rules (oplam) and (oprec)). Furthermore f is deterministic, i.e., c f v and 
c f v' imply v = v' . Thus we can invert all rules for f. We denote the inversion 
of the rule (X) by (X“^). 

^ In the literature one often finds the notation gg.Xx.t, expressing that the function 
is the smallest fixed-point of Xx.t[r,g], Our notation is inspired by the functional 
programming language SML. 

^ Note that 1-element tuples are allowed as arguments, so this is not really a restriction. 
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Table 3. Values and Operational Semantics 



Values Val'^, environments Env[P] and closures Cl^ 

v,w,v G Val in^ (?;) | (i?i , . . . , •Un ) | fold(i)) | {Xx.t; e) \ (fun g{x) —t\ e) 

EnyfO {xi —vi, . . . , Xn—Vn : Vi ^ F — x"^^ , • ■ • , 

cr {{t;e) : 3F G Cxt. t G Tm^[r] A e G Env[_T]} 

U {/@ii : / G Val'^^^,u G Val^} (“@” is a new symbol) 

Notation 

terms: t^[F] expresses t, where t G Tm‘^[/^] (cr, F optional) 
values: expresses u, where v G Val^ 

Operational Semantics 4''^^ Cl'^ X Val'^ 

{t[F]; e) t {i'l e) t 

(opvar) (opweak) (opin) 

{x;e,x — v)],v {t[F, x]; e, x — w) ^ v (inj (t) ; e) t inj (v) 

[J^]; e) t ) (f J [F, Xj^];e,Xj — w) ], 

(opcase) 

(case(f, 35. t); e) t 

{ti] e) t Vi for 1 < i < n (f; e) t ('*j) 

(optup) (oppi) 

((t);e) I (v) {pij{t);e) I Vj 



(oplam) 



(opapp) 



(opappvl) 



(opfold) 



{Xx.t] e) 4- {Xx.t; 


e) 


<t;e)4./ 


e) 4. 


{t s; 


e) 4. 


II 




{Xx.t; e)@it 4" V 




{t; e) 4" 





(fold(f); e) t fold(u) 



(oprec) 



(fun ^(a:) = f ; e) t (fun p(a:) = t; e) 



/@u t V 



{t; e, g — (fun g{x) —t; e) , x — u) t v 

(opappvr) 

(fun g{x) — t; e)@n t v 

(t; e) t fold(u) 

(opunfold) 

(unfold(f); e) t 



2.3 Semantics and Structural Ordering on Values 

We give a semantics of the types in foetus that captures the “good” values, i.e. 
these values that ensure termination. In this sense / will be a good function 
value if it evaluates to a good result if applied to a good argument. 

Definition 1 (Semantics on values). For every closed type ct G Ty the se- 
mantics VAL"^ C VaT contains the good values of type a. Especially for arrow 
types: 

/gVAU^” VmG VAU.duG VAL”. 

More details do not matter at this point. We refer the interested reader to 
[Abe99], where the construction of this semantics has been carried out, and to 
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[AA99] for an even predicative construction. Note that in both papers VAL'^ is 
denoted with |cr]]. 

Definition 2 (Good environment). Let F = , . . . Then 

ENV[A] := {xi = v„, . . . , Xn = Vn ■ Vi € VAL”^* for 1 < i < n} 

Definition 3 (Strong evaluation). We say a closure c G CT evaluates stron- 
gly to a value v G VaT, if v is a good value. 

c^v c f V &L v G MkVf 

For closures of the form c = {t; e) we additionally require that every subterm s 
of t evaluates strongly (s; e') JJ. in environment e! where e! is e, a shortening of 
e or the extension of e by a good value w. We refer to this requirement as the 
subterm property. 



Table 4. Ordering on Values 



Structural ordering Ra,T Q VAL*^ X VAL"^ (i? G {<, <}) 



W Rn a ■ 'Id 



(<refl) 



(i?in) 



'lid Rp^Ser inj(t) 



(Ktup) 



Bj. W Rp,a. Vj 



w Ro 



(v) 



w V ™ <<T,x(jiX.x) 

(i?arr) (i?fold) 



w Rp^^^^ f w Ra,pX.T fold(?;) 

Admissible rules (besides transitivity) 

'lid <p,T 'Id irij (?;) R w (fd) R w 



(<<) 


(Kin’) - 




(Ktup’) 


W <p,x f 




V R w 


Vj R w 


f Rw 

(RarR) 


f@U JJ- V 


(Kfold’) 


fold(u) < w 



V R w 



V R w 



Lexicographic ordering ^ X VAL^^'^ for closed types <r, a 

permutation tt G Sn and fc G IN 

fx(fc) < 'U'x(fc) fx(fc) < («) i'w) 

(lex<) (lex<) 



(t)) „ (■!«) 



(’') ^x,<x b 



Table 4 shows the definition of the lexicographic extension of the structu- 
ral ordering on values, which we obtain from for A: = 1. In [AA99] we proved 
that it is wellfounded. We will exploit this fact later in the proof of “/ termina- 
tes at input u”, doing noetherian induction. Thus we have the hypothesis for all 
smaller v' ^ v at hand for the proof of termination at v. 
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3 A Formal System for Structural Recursion 

In this section we will introduce the foetus termination calculus, but first mo- 
tivate it by an example. Consider the following foetus implementation of the 
addition of ordinal numbers. We define two type abbreviations 

Nat = ^iX.l + X 

Ord = HX.1 + X+ (Nat X) 

The constructors of Ord and the addition function are 

O = fold(iniO) 

S(u) = fold(in2(u)) 

Lim(/) = fold(in 3 (/)) 

add = funadd^(°'’‘^)^°'’‘i(yO'-d) = 

case(unfold(?/), 

S(add(n)), 

/Nat->Ord add(/z))) 

(The superindex 1 in the first branch of the case expression is just a type annot- 
ation, stating that the variable _ can only contain the empty tuple.) 

In our term language we can only define add, if add is structurally recursive 
in its function body. For this we require that in all recursive calls the argument 
is structurally smaller than the input parameter of the function. In our case this 
gives us the proof obligations 

1. n < y 

2. fz<y 

Our approach works as follows: We descend into the function body until we reach 
the recursive calls, and on our way we collect dependency information between 
variables. These dependencies are generated whenever we pass a case-expression. 
Thus for call 1 we get the dependency n < unfold(y). From this we infer n < y 
since we require a folding step to increase the structural ordering strictly. 

For call 2 we infer f z < y from / < unfold(y). We justify this hy f z < f. 
The latter is valid since we regard functions as (possibly infinitely branching) 
trees and application as selection of one branch. 

The formalization of the above informally described method consists of three 
relations on terms: 

1. the structural ordering 

2. its lexicographic extension 0 for the Ackermann function) 

and 

3. the predicate of structural recursiveness “sr”. 
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3.1 Structural Ordering on Terms 

In the following we will make precise the definition of the structural ordering on 
terms and give rules that allow us to derive a relation between two terms under 
a given set of dependencies. 



Table 5. Structural ordering on Terms 



Right hand side rules {R C 

A, Xi R t for z = 1, , n 

(i?caseR) 



A h case(s, x.s) R t 



A \- s R t 

(RappR) 

A \- s a R t 

Left hand side rules (R G 

A, Xi t, y R ti, a' \- p for z = 1, ..., n 

(RcaseL) 

A, y R case{t, x.t) , A \- p 

A, y R s, a' \- p 

(KappL) 

A,y R s a, a' \- p 

Reflexivity and transitivity: 



A \- s R t 

(RpiR) 

A h pi^ (s) R t 

Zi h s t 

(RunfR) 

A h unfold(s) R t 

A,y R t, a' \- p 

(RpiL) 

A,y R pij(t),A' h p 

A, y t, a' \- p 

(RunfL) 

A,y R unfold(f), A' p 






(<^"'transL) 



(<^'^transR) 



(^^■"trans) 



Zi h t t 

A\-sRt y s e Z1 fi e 
Z1 h y t 

Ahs<^"'t yRseA fi G 
Zi h y t 

AhsRt ySseA R, S e 
A\- y t 



Declaration 1 (Structural ordering). The structural ordering on terms 
and its non-strict version are defined as families of relations indexed over 
a pair of types: For all ct, r G Ty we define 

<lf;. C Tm'" X Tm^ 

<T'T1 C Tm'" X Tm^ 

— (7,T — 

For purposes of readability we will generally omit the indices. 
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Definition 4 (Dependencies). A set of dependencies A consists of relations 
y Rt w/iere y G TmVar'^, tGTm’’, R € 



Definition 5 (Derivation of structural ordering). By the rules in Table 5 
we introduce the judgement 

A^sRt i?G 



Read “under the dependencies A we know that s is less 



(or equal) than t”. 



The right hand rules work on the judgements we want to derive, whereas the 
left hand side rules work on the dependencies, which — in backward reading — 
are only introduced by the treatment of case statements (rules (i?caseR) and 
(srcase) — see next section). Therefore the dependencies can be restricted to the 
form y R^'^ t, where y is the fresh variable introduced for one clause in the case 
statement. Typically t, the term that is analyzed by the case expression, will be 
of the form unfold(t'), hence of the left-rules (<^'^unfL) will be the one mostly 
used in practice. To see the system “in action”, we give derivations of the proof 
obligations for add (omitting the superindex ^'^): 



n<y\- y<y 
n < y \- n < y 



^Trnrefl 

<^'^transL 



f <y'^ y<y 

/ < y I- / < y 



■ ^^'^refl 
<^'^transL 



n < unfold(y) h n < y 



^TmunfL f < unfold(y) h / < y 



■ <^"'unfL 



f < unfold(y) \~ f z < y 



<^"'appR 



The rule (<^"'caseL) is needed for nested case statements, as for instance in the 
following curious implementation of the “half” -function: 

fun half'^‘^*~*'^‘^*(n'^‘‘*) = case(unfold(case(unfold(n), 

A. n, 

nf‘^*.m)), 

-bo, 

n^«bS(half(n2))) 



The obligation U2 n is proven as follows: 



_ < unfold(n), ri2 < n h ri2 < n ni < unfold(n), ri2 < rii h U2 < 



rz2 < case(unfold(n), _.n, ni.ni) h rz2 < n 
ri2 < unfold(case(unfold(n), _.n,ni.ni)) h ri2 < n 



< '^caseL 



<TmunfL 



3.2 Lexicographic Extension 

To handle functions like the Ackermann function, we need extend our calculus 
to lexicographic orderings. This requires just two additional rules. 




Specification and Verification of a Formal System 



11 



Declaration 2 (Lexicographic ordering). Given closed types cr = cti, . . . , cr„ 
and a permutation ir € Sn we define the relation 

(si, s„) t w/iere Si G Tm'^\ . . . , s„ G t 

To enhance readability we will usually omit the second index cr. 

By this definition we mean that term (s) is lexicographically smaller than 
term t w.r.t. a permutation tt of the components. Note that the left hand side 
must be a tuple syntactically, whereas the right hand side may be any term of 
product type. 

Definition 6 (Derivation of lexicographic ordering). By the following ru- 
les we introduce an auxiliary judgement 

A^^{s)<l^t l<k<n=\s\ 

In case of k = \ we just write 



s) is lexicographically smaller 



A (S) ^ 

(s) ^l^t 

This encodes the standard lexicographic ordering. We start in comparing the first 
component (fc = 1) of tuple (s) with tuple t. If it is only non-strictly smaller, we 
have to consider the next component (fc ^ A: + 1). The terms “first” and “next” 
have to be seen relatively to the permuation tt. 

3.3 Structural Recursiveness 

As a frame for the derivation system for size relations on terms, we now define 
the judgement “sr” that we introduced in Sect. 2. Roughly described, a function 
g will be structurally recursive in a term t, if it is so in all subterms of t and 
is called recursively only with smaller arguments (see rule (srapprec)). This is 
were a reference to the judgement jg 

Definition 7 (Derivation of structural recursiveness). We introduce the 
judgement 

A h g{x) sr^ t where g G T mVar'^”*'”, x G T mVar*^, t G T m”. 



A h (s) t 

Read “under the dependencies A we know that 
than t w.r.t. the permutation tt”. 

/lex<Tm) ^ < Pl7r(fc)(^) 

A (s) ^ 
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read “under the dependencies A the function g with parameter x is structurally 
recursive in t w.r.t. the permutation tt”, by the following rules. 

y g Ah g{x) sr^ t[r] A h g(x) sr^ t 

(srvar) (srweak) (srin) 

Ahg{x)srTyy A h g{x) sr,r t[F, x] A h g{x) 



A h g{x) sr^ s 
(srcase) 



A, Xi s h g{x) sr^ ti for i = 1 , |t| 
A h g{x) sr^ case(s, x.t) 



Ahg{x)srTrti for i = 1 , |t| 

(srtup) 

A h g{x) sr^ (t) 

^ I- g{x) sr^t y ^ {g,x} 

(srlam) 

A h g(x) sr,r Aj/. t 



A h g{x) sr^ t 

(srpi) 

A h g{x) sr^ pi^.(f) 

A h g{x) sr^ t Ah g(x) sr^ s 

(srapp) 

A h g(x) sr^ t s 



A h g{x) sr^ (a) A h (a) x 

(srapprec) 

A h g(x) sr^ g(a) 

A h g(x) sr^r t Ah g(x) sr^r t 

(srfold) (srunfold) 

A h g{x) sr^ fold(f) A h g{x) sr^ unfold(f) 

Note that g, x and tt remain fixed in all rules. Furthermore, since there is no rule 
for recursive terms and since “sr” is used in the term definition, in our system a 
nested definition of functions, and thus mutual recursion, is not possible. 



Definition 8 (Syntactically structurally recursive). We define a recursive 
term fun^(x)=t to he syntactically structurally recursive, 



A h g{x) sr t 



if there is a permutation tt s.th. A h g{x) sr,r t. 

As an example we show that add is a definable term in the foetus system. 
Expanding the syntactic sugar and the abbreviations and omitting some type 
annotations the term becomes 

Ax. fun add(y^^°'’'^^ ) = c ase( unfold (pi ^ (y)), 

_. X, 

n. fold(in2(add(n))), 

/. fold(in3(A2. add(/z)))) 

To prove add G T fy^Ord^n(Ord)^Ord have to show that 



h add(y) sr,r case(. . . ) 

where tt is the identical permutation on Si. We infer our goal by (srcase), ob- 
taining four subgoals: 
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— Head term: 

y ^ add 

srvar 

h add(y) sr^ y 

— srpi 

h add(j/) sr^ pii(y) 

sruniold 

h add(y) sr^ unfold(pi 2 (y)) 

— Side term 1: 

X ^ add 

srvar 

_ unfold(pii(y)) h add(y) sr^ x 

— Side terms 2 and 3: We prove them by reusing the derivations for structural 
ordering in Sect. 3.1, substituting pii(y) for y in all occurrences. 

n unfold(pii(y)) h n pii(y) 

= ip lex<^^^ 

n unfold(pii(j/)) h (n) y 

ip ^ ^ srapprec 

n unfold(pi;i(?/)) h add(y) sr,r add(n) 

srin 

n unfold(pii(j/)) h add(y) sr,r in 2 (add(n)) 

= srfold 

n unfold(pi;^(j/)) h add(y) sr,r fold(in 2 (add(n))) 

/ <T- unfold(pii(y)) h / z <T- pi,(y) 

lex< ' 

/<T- unfold(pii(y))h(/z) 

srapprec 

z^{add,y} / < '^ unfold(pii(y)) h add(y) sr^ add(/z) 

/ unfold(pi;^(y)) h add(f/) sr,r Az.add(/z) 

srin 

/ < '" unfold(pii(y)) h add(y) sr^ in 3 (Az. add(/z)) 

srfold 

/ unfold(pi 3 (y)) h add(y) sr,r fold(in 3 (Az. add(/ z))) 



4 Soundness of the Structural Ordering 

In this section we show that the ordering on values corresponds to the structural 
ordering on terms. We accomplish this by proving that evaluation preserves the 
structural ordering. To this end, we give an interpretation of the judgement 
Z\ h s t: 

Definition 9 (Weak and strong interpretation of the structural orde- 
ring). We define the propositions “environment e satisfies (weakly) the relation 
s t for the terms s and t” and “e satisfies the dependencies A”: 

e s R^'“' t :<f=^ Vu, w. {s; e) v ^ {t; e) w ^ v R w 

e 1= s R^”' t :<^=^ 3u, w. (s; e) (1 u & {t; e) i) w v R w 
e\= A :<^=^ Wp G A. e\= p 
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Strong satisfaction of an atom p of the form s t carries evidence that s 
and t are strongly evaluating, whereas weak satisfaction needs proof of this. 
We will interpret atoms in the dependencies (left hand side) strongly and the 
concluded atom (right hand side) weakly. The reason for this assymetry lies in 
the architecture the sr-judgement. Interpreting terms t for which the judgment 
A h g{x) sr t holds as strongly terminating — which we will do in Sect. 5 — we 
can read off the definition of sr that only strongly evaluating terms enter the 
dependencies. 

Lemma 1 (Weakening). Extending the environment does not destroy satis- 
faction of dependencies. 



e N'"'' p e N Zi 

e^x = v\=p e,x = v\=A 

Proof. Since by the definition of contexts and environments x must be a new 
variable, it does not appear in e and thus not in any of the terms in p or A. 

Theorem 1. The structural ordering on terms and its lexicographic extension 
are preserved by the operational semantics. 

A\- p 

Ve N Z\. e N™*' p 



Proof. By induction on Z\ h p. 

Right hand side rules {R G {<^'^,<^'^1): 

(RcaseR) We have to show 

Vi,e'l=(A,Xi s). e' 1='"^ SiR^'^t e l=A (case(s, x.s); e) JJ. v (t; e) JJ. w 

V Rw 

The assumption (case(s, a;.s); e) IJ. entails by (opcase“^) (s; e) f 
inj(v'), and since s is a subterm of case(s, a;.s), by definition 3 also 
inj(w') G VAL. By an instance of the induction hypothesis using j 
and e' = (e,Xj =v') (which is of course a good environment) we 
obtain e' N™'' sj R^'^ t (*) leaving us four subgoals. 

1. e' 1= Z\: by weakening (lemma 1) 

2. {xj-,e') U- v': by (opvar) 

3. (s; e') JJ. inj (u'): by (opweak) 

4. v' < inj(u'): by (<in) 

Since by (opcase“^) also {sf, e') JJ. v and by (opweak) (t; e') J| w we 
can infer our goal v Rw from (*). 

(i?piR) Our goal is 

(s; e) JJ. {v) -J> (t; e) J| w -)> {v) R w (pb (s); e) J| Vj 

Vj R w 



(t; e) J) w 
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Since (oppi“^) entails (s; e) JJ. (t;) because s is a subterm of pij(s), 
we can use the ind.hyp. and achieve our goal using (i?tup’). 
(i?appR) Here we show 

(s; e) JJ. / — >■ (t; e) JJ. w — >■ / i? w (so; e) JJ. u (t; e) JJ. w 

V Rw 

By (opapp“^) and the subterm property (s; e) JJ. /, (a; e) JJ. u and 
f@u JJ. V. Hence we complete using the ind.hyp. and the rule (i?arr’). 
(i?unfR) analogously using (opunfold”^) and (Mold’) 

Left hand side rules {R G {<^ }): All the goals we have to show are of 

the form 

Ve' N e' N'"*' p 

Ve 1= {A, q, A'), e N™'' p 

Hence by weakening it suffices to show e' 1= q' from e 1= g for each case, where e' 
is e or an extension of e. 

(MaseL) Assume e'G y R case(t, x.t), which expands to the three propositions 
(p;e) JJ. V (1), (case(t, £c.t); e) JJ. w (2) and v R w (3). The rule 
(opcase“^) plus subterm property entails (t; e) J) inj(u') (2a) and 
{tf, e, Xj = u') JJ. ic (2b). Our two goals are: 

1. e,Xj = v' \= Xj t: We prove this by {xj-,e,Xj = v') JJ. v' 
(opvar), by (2a) and by v' < inj(u') (<in). 

2. e,Xj = v' 'g y R tj: By (1), (2b) and (3) using weakening. 

(i?piL) We expand our goal to 

(p; e) J) V (pij (t); e) J| v R wj 

(y; e) \].v (t; e) J| (iu) v R (w) 

It follows from (oppi“^), subterm property and (Mup). 

(i?appL) The expanded goal is 

(p; e) JJ. V (sa;e)JJ.w v Rw 
{y; e) J) u (s; e) J) / v Rf 

By (opapp“^) and subterm property (s; e) JJ. /, (a; e) JJ. w and f@u JJ. 
w. Thus V R f follows by (i?arr). 

(MnfL) analogously using (opunfold”^) and (Mold) 

Reflexivity and transitivity: 

(<Tmrefl) e N'"'' t t follows from (<refl). 
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(<Tmt]-ansL) We have to show {R G {<, <}) 

g ^wk g ^Tm ^ e N y S (y; e) M (t; e) J| u; 

u < w 

From e 1= y <^^^1 g -^g obtain (s; e) JJ. f and u < v and thus by 
the first premise v Rw. Transitivity of the structural ordering 
on values implies u < w. 

(<TmtransR) analogously 
(^Tmtrans) analogously 

Lexicographic extension: 

(lex<^'^) We have the simplified goal 

e N'"'' s^(fc) pi^(fc)(t) {{s)-,e) |1 (t>) (f; e) |1 (u;) 

(^) < M 

By (optup"i) (s^(fe);e) and by (oppi) (pi^(fc)(t); e) 

hence < w,r(fc), and the goal (d) ( w ) follows form (lex<). 

(lex<^'^) Our simplified goal is 

e pi^(fc)(t) jv) jw) ((s); e) |1 (v) (t; e) |1 (w) 

(v) (m) 

It follows analogously to (lex<^'^) using (lex<). □ 

5 Soundness of Structural Recursion 

We transfer the syntactic property of being structurally recursive to our seman- 
tics. Then we show that every structurally recursive term is good. 

Definition 10 (Semantically structurally recursive). We say a function 
value f G is semantically structurally recursive f G if it termina- 

tes on all inputs v under the condition that it terminates on all lexicographically 
smaller inputs w ^ v: 

f G 37tVu G VAr. (Vw G VA^. w v ^ f@w J)) ^ f@v J) 



Proposition 1. = VAL'^”*'’^ 

Proof. The domain VAL'^ of all function values of type u — k r is wellfounded 
w.r.t. the lexicographic ordering, what we have shown in detail in [Abe99] and 
[AA99]. Thus the wellfounded induction principle establishes the equality bet- 
ween semantically structurally recursive and good functions. □ 
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Theorem 2. Every recursive term of type a ^ t and context E is good in a 
good initial environment eg € VAL(T). 

(fun5(x) = io;eo) G 

Proof. By definition there exists a permutation tt s.th. h g{x) sr,r to- Using the 
abbreviation 



fo = {fung{x)=to]eo) 

and proposition 1 our goal becomes (Vic G VAL'^. w ^ uq — 1 fo@w JJ.) — >■ fo@vo -U- 
If we can prove the following lemma under the global assumption 

Vw ^ Wo- fo@w JJ. (1) 

we can finish using this lemma with empty A, t = to and e = {cq, g = fo,x = Vo). 

A h g{x) sr^t et= A (g; e) J, fo (x; e) J| wo 

Lemma 2. 

(t; e) J| 

Proof. By induction on Z\ h g(x) sr^ t. 

(srvar) {y; e) JJ. since e is good except for g, but y ^ g hy assumption, 
(srcase) We have to show 

Ahg{x)sr^s Wi. A, x^ s \~ g{x) sr^ ti e\= A {g-,e)ifo (x; e) J| vo 

(case(s, x.t)] e) JJ. 

The first ind.hyp. entails (s; e) JJ. inj(w'). By (opcase) our goal follows 
from the second ind.hyp. using environment e' = e, Xj = w', if we show 
the three premises of the ind.hyp.: 

1. e' 1= A,Xj s: This follows from weakening and the three 

facts {xj]e') JJ. v', (s; e') JJ. inj(w') and v' < inj(w'). 

2- {g; e') i fo- by (opweak) 

3. (x; e') JJ. Wo: by (opweak) 

(srlam) We have to show 

A \- g{x) sr^t e 1= Z\ {g; e) J, fo (x; e) J| wo 
{Xy.t; e) JJ. 

Immediately by (oplam) we get (Ay.t; e) J,, thus it remains to show 
{\y. t] e) G VAL. For this we assume u G VAL and show {Xy.t; e)@u JJ.. 
The latter follows from (opappvl) and the ind.hyp. {t; e') JJ. for e' = 
(e,y = u), since e' 1= Z\ by weakening and {g; e!) f fo and (x; e') JJ. wq 
by (opweak). 
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(srapprec) Using the ind.hyp. our goal becomes 

((a);e)-||w Ah (a) x e 1= A (g; e) i fo (x;e)^vo w vq 

{g{a);e) -U- 

By (opapp) and (opappvr) this is true, if fo@w That, however, 
was our global assumption (1) for w -<jr vq, which we obtain if we 
apply theorem 1 on the premise A h (a) x. 

All other cases follow directly by ind.hyp. using the operational semantics. □ 



Corollary 1. All terms t terminate in a good environment e. 

Vr[T],ee ENV[T]. G VAL*". (t; e) n 

Proof. By straightforward induction on t, using the operational semantics. For 
the critical case t = fun g(x) = s use theorem 2. The proof has been carried out 
in [Abe99] and [AA99]. 



Corollary 2. All closed terms terminate. 

From this corollary we can extract an interpreter for the foetus language that 
always terminates. This is no surprise since the interpreter just applies the ope- 
rational semantics on the input term. Additionally, it computes a witness for 
the goodness of the result value {v G VAL), which could be eliminated, using a 
refined program extraction (cf. [BS93]). 



6 Conclusions and Further Work 

We have formally defined a syntactical check “sr” for structurally recursive fun- 
ctions that serves as a frame for the derivation system for size relations between 
terms given in [AA99]. We have shown that these two parts of the termination 
checker are sound w.r.t. our operational semantics. 

I expect that my approach can be extended to mutual recursion (see below) 
and dependent types, since they only put more restrictions on the acceptable 
terms. By this I mean that every term typable in a lambda calculus with induc- 
tive and dependent types (Aid) should be typable in foetus. Hence we could just 
strip the dependency and run the foetus termination checker. My standpoint is 
confirmed by the fact that implementations of a termination checker for ATT do 
not make use of the typing information (cf. [PPOO]). 

So far the termination checking of foetus is very limited, e.g., “quicksort” 
cannot be proven total with our method. To capture the Walther recursive fun- 
ctions [MA96] like quicksort one has to define two more judgements stating that 
a function is reducing resp. preserving. E.g., for quicksort the filtering step has 
to be preserving. Implementation of this so-called reduction checking should be 
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straightforward for the simple structural ordering on terms. However, lexicogra- 
phic orderings will require a number of modifications since they are not “first 
class citizens” in my system so far. They may appear only on right hand sides, 
not within the dependencies. 

In [Abe98] and [AA99] Altenkirch and myself have informally described a 
termination checker also for mutual recursive functions. The main extension is 
the construction of a call graph for the mutual recursive functions, which has to 
satisfy a “goodness” condition. This enables the construction of a wellfounded 
ordering on the function symbols which, in addition to the lexicographic ordering 
on the arguments, serves as a component of the termination ordering required 
to run through the soundness proof. Work on the details is in progress. 

In contrast to the full approach with call graphs a light weight version of 
mutual recursion with descent in every call would be a straightforward extension 
of the proof in the present article. 
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Abstract. We present a new strong normalisation proof for a A-calculus 
with interleaving strictly positive inductive types A'^ which avoids the use 
of impredicative reasoning, i.e., the theorem of Knaster- Tarski. Instead 
it only uses predicative, i.e., strictly positive inductive definitions on the 
metalevel. To achieve this we show that every strictly positive operator 
on types gives rise to an operator on saturated sets which is not only 
monotone but also (deterministically) set based - a concept introduced 
by Peter Aczel in the context of intuitionistic set theory. We also extend 
this to coinductive types using greatest fixpoints of strictly monotone 
operators on the metalevel. 



1 Introduction 

We shall investigate a A-calculus with strictly positive^ inductive types. I.e., 
given a type cr(A) where X appears only strictly positive we may construct a 
new type fj,X.a which is generated by the constructor c : a{fj,X.a) — >■ fiX.a. 
Examples are the natural numbers Nat = fxX.l + X, lists over a given type r: 
List^ = nX.l + T X X or trees branching over r: Tree^ = fiX.l -I- (r — >■ X). We 
also allow interleaving inductive types, as an example consider arbitrarily but 
finitely branching trees which can be defined by 

Fin = /xA.List^ = /xA./xr.l + X xY 

We call Fin interleaving because the inductive definition goes through another 
inductive type - List. A type like Tree'^^* is nested but not interleaved. ^ 

^ The occurrence of a type variable is positive iff it occurs within an even number of 
left hand sides of — >-types, it is strictly positive iff it never occurs on the left hand 
side of a — >-type. We will only use strictly positive occurrences in this paper because 
positive inductive types cannot be understood predicatively in general. 

^ The use of the term interleaving for this situation is due to Ralph Matthes, e.g., see 
[Mat98]. An alternative would be mutually. 
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Positivity is essential for normalisation, i.e., we do not allow recursive domain 
equations like X = X ^ X which may be represented by the type fxX.X — >■ 
X. The difference between positive and strictly positive is more subtle, i.e., 
HX.{X — >■ Bool) — >■ Bool is an example of a positive but not strictly positive 
type. This example has been used by Reynolds to show that there are no set- 
theoretical models of System F [Rey84]. 

We consider as a simply typed programming language corresponding to 
a subset of Martin-Lof’s Type Theory (MLTT) [Mar 84]. For our system we 
show the important property of strong normalisation, following the idea of Tait 
[Tai67j. To show strong normalisation of the simply typed A-calculus, he defined 
a set-valued interpreting function [[— ] on the types. For each type a the set [[crj] 
contains the computable terms of type cr. Later Girard extended this idea to the 
impredicative System F under the name candidates of reducibility [Gir72] . Our 
construction is based on a technical alternative to candidates called saturated sets 
- this technique has been used by Luo [Luo90] and by the second author [Alt93] . 
Since in our system a type a may contain free variables, the interpretation |cr]| 
is no longer just a saturated set but a monotone operator on saturated sets. 

Now we could just adopt the normalisation proof for System F and use Kna- 
ster’s and Tarski’s theorem, stating that every monotone operator on a complete 
lattice has a least fixed point, to define the interpretation for /i-types. But this 
construction would require impredicative reasoning and the full proof-theoretical 
strength of System F. It could not be carried out in a predicative meta theory 
like MLTT. Should it not be possible to reason about a predicative system like 
A^ in a predicative^ meta theory, as for instance, MLTT? 

Predicative theories allow only strictly positive inductive definitions. That 
means they must be given by an operator (P{P) where P only occurs strictly 
positive, i.e., never on the left hand side of an arrow. <P defines a set p, which is 
characterized as the smallest set closed under <P: 



<P{p) C p 



(intro) 



m) c Q 

pCQ 



(elim) 



Strictly positive inductive definitions can be understood as defined by well fo- 
unded derivation trees which may be infinitely branching. Hence, when building 
a derivation, we only refer to subderivations which are smaller in an intuitive 
sense. In this way the consistency of predicative theories can be justified, whe- 
reas the consistency of impredicative theories is only empiric. Furthermore there 
are more options to extend a weaker, i.e., predicative theory without getting into 
inconsistencies. 

In this paper we show that indeed the strong normalisation of A^ can be 
proven by predicative means. We manage to define the interpretation |— ]| of 
the types without Knaster-Tarski, just by strictly positive inductive definitions, 
using the concept of (deterministically) set based operators introduced by Peter 

® We are using the term predicative in the sense of avoiding circular definitions — this 
usage has been popularized by Per Martin-L6f. In the terminology of proof theory 
our system would be called impredicative since its ordinal is greater than Pq. 
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Aczel in the context of intuitionistic set theory [Acz97]. Intuitively, a set based 
operator can be understood as a monotone operator which comes with a 
urelement relation U. We require that if y G ^(-P) and x U y (read x is an 
urelement of y) then x £ P. We also require that the urelements can be used to 
reconstruct the whole, i.e., y £ <P{{x \ x U y}) for reasonable y £ ^(True). For 
any monotone operator which satisfies the conditions given above the predicate 
X £ <?(P) can be replaced by the conditions x £ <P(True) and 'iy U x ^ y £ P 
which is strictly positive in P (see proposition 1). We have used this technique 
in [AA99] to construct a value semantics for the types of the foetus system 
predicatively. 

As an example consider ^List which can be defined inductively (writing [] for 
the empty list and :: for cons): 

a£P l£ <Pust{P) 

D G ^List(P) a:: I £ <Pust{P) 

The appropriate relation U\_\st can be defined inductively as well: 

^ ^List ^ 

aUusta-.-.l aUustb-.-.l 



It is now straightforward to verify that ^List is set based by rule induction. 

We show that every strictly positive type can be interpreted by a set based 
operator and that fixpoints of set based operators can be constructed by strictly 
positive inductive definitions on the meta level. Unsurprisingly, we need additio- 
nal power on the metalevel which is given by one level of reflection corresponding 
to the introduction of a Martin-L6f universe. Specifically, this is required when 
defining the interpretation of types [[cr]]. 

We also extend the construction to coinductive or lazy types (like the type 
of Streams over r which is given by Stream^ = vX.t x AT). To do so we consider 
strictly positive definitions of greatest fixpoints as predicatively acceptable. This 
assumption is based on the work on coinductive types in Type Theory [Coq94] . 
Intuitively, greatest fixpoints correspond to arbitrary trees, i.e., not necessarily 
well founded ones. 

To be precise: We assume that given a propositional expression <P{P) s.t. P 
appears strictly positive, it is possible to construct the greatest fixpoint v of (P, 

s.t. 



(co-intro) 

V C ^{i,) 



QC<P{Q) 

(co-eiim) 

QQv 



1.1 Related Work 

Lambda calculi with inductive types have been considered by a number of 
authors, e.g., see [Hag87,Men88,Dyb91,CM89,Geu92,Loa97,Alt98]. Loader notes 
that strong normalisation can be shown by using the techniques from System 
F. This is carried out for monotone inductive types with primitive recursion by 
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Ralph Matthes [Mat98], using an impredicative meta theory. Beni presents a pre- 
dicative strong normalisation proof for non-interleaving inductive types [Ben98], 
but this has not been extended to interleaving inductive types or coinductive 
types. 

Jouannaud and Okada [J097], later with Blanqui [BJ099], also do not treat 
interleaving inductive types, which they call mutually inductive. Furthermore 
their normalisation proof is not predicative from our perspective, since they use 
the theorem of Knaster and Tarski to construct the computability predicates. 
This requires quantification over all such predicates, which can only be carried 
out in an impredicative meta theory. 

The system we are investigating here is closely related to the proof-theoretical 
system However, we differ in allowing interleaving inductive definitions 

which correspond to simultaneously defined sets. It is not clear in the moment 
whether Buchholz’ reduction from ID^ to ID^ [Buc81], which also justifies posi- 
tive inductive definitions, can be extended to our system. 

Acknowledgments. Thierry Coquand has pointed out to us that one should 
use set based operators to prove normalisation predicatively. We would also like 
to acknowledge discussions with Peter Aczel on set based operators. Helmut 
Schwichtenberg allowed us to present this work to his group, where we got in- 
teresting feedback from him and his colleagues. Ralph Matthes gave a lot of 
very helpful comments on the draft. We would also like to thank the anonymous 
referees who invested a lot of time and effort to write reports which helped us 
to improve the paper. 

1.2 Notational Conventions 

We are using a vector notation to simplify our notation. If we have a family 
of expressions ei, 62 , . . . , e„ we write e for the whole sequence. We denote the 
length n of the sequence by |e|. Given a fixed e we write ee for cic, 626 , . . . , e„e. 
Given a sequence of sets S where [S'] = n we write US' for x 5'2 x • • • x 5'„. 

We use set notation to define predicates, i.e., we write x G P for P{x) and 
we define new predicates by the notation for set comprehension. However, sets 
are not first order citizens in our meta theory, i.e., we do not quantify over sets 
and we do not use power sets. We write relations infix, i.e., we write x R y for 
{x,y) G R. We write projections as partial applications, i.e., R{y) = {x\x Ry}. 

We will annotate term families by types but to increase readability we will 
often omit these annotations. We use the convention that all arrow symbols 
associate to the right. We consider types and terms upto alpha-equivalence and 
use = to denote this. 

2 The Calculus 

We already presented this calculus in [Alt98] also allowing positive inductive 
types. We shall simplify the presentation here by exploiting the fact that we are 
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only interested in strictly positive types, following [Loa97,Abe99]. The choice of 
type formers presented here is quite canonical and corresponds to bicartesian 
closed categories which have also initial algebras for all definable endofunctors. 

We assume a set of type variables X, we denote elements of X by X, Y, Z 
and finite sequences of type variables by X, Y, Z. The extension of X by T is 
denoted by X,Y. We define the set of types in which the variables X occur at 
most strictly positive Ty(X) inductively by the following rules: 



(Const) 

0, 1 G Ty(X) 



(Var) 

Xi G Ty(X) 



aGTyO tG Ty(X) 

(Arr) 

(T ^ T G Ty(X) 



g,TGTy(X) 
cr + T, cr X T G Ty(X) 



(Sum), (Prod) 



aGTy(X,r) 
fiY.a G Ty(X) 



(Mu) 



Closed types are denoted by Ty = Ty(). If ct G Ty(X) and G Ty for 1 < f < |X| 
we write ct(t) G Ty for the result of substituting Xi in a by Ti in a capture 
avoiding way. 

Different to System F, we can restrict the typing rules to closed types because 
we have no term forming rules which introduce new type variables (like A in the 
case of System F). A type context F is a finite sequence of assumptions of the 
form X : a where a; G V is a term variable and cr G Ty. We require that all 
the variables in a context are different. We introduce the judgment F \- t : a 
meaning that t has the type a in context F, where a G Ty. F \- t : a is given by 
the usual rules for simply typed A calculus: 



F,x : a, A\- X : a 



var 



F,x : a \- t : T 
F h Xx'^ .t : a — >■ 



■ lam 



Fht : 



rh 



F \- tu T 



-app 



Additionally we assume a set of constants C and a signature given by A7 C C x Ty 
which is decidable. We introduce the rule 



c : cr G A7 

const 

F h c : cr 



For we consider the following signature 



unit : 1 



pair ^ : cr^ — y 02 — ^ (cr^ x (J2) 

: (cTi X CT 2 ) (Ti t G {1,2} 

case)} : 0 — >■ cr 

: (Ji -)> (cti + CT 2 ) iG(1,2} 

case'’^^’*’^^’^ : (ai — >■ p) — >■ (ct 2 — >■ p) — >■ (cti + (J 2 ) p 
: r(pX.r) — >• /iX.r 
I^X.T.cr . ^ [fxX.T) — >■ cr 
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where a,ai,p € Ty and r G Ty(AT). We will often omit type annotations when 
they are clear from the context. 

We write T m'^ for the set of terms of type a: 

Tm'" = {t\3r.r \-t:a} 

Since we only allow strictly positive occurrences of type variables every type 
gives rise to a functor in the sense of category theory. We exploit this by defining 
the functorial strength of a type p G Ty(X): Given G CTj —>■ Tj for 1 < i < n, 
where n = |X| we define 

P{f) ■ P{^) P{'r) 

by induction over the structure of p: ^ 

C{f) = Xx^.x Gg{0,1} 

Xiif) = fi l<i<n 
{pi P2){f) = .XxP\p2{f){gx) 

{Pi X P2){f) = 

(pi + P2){f) = case'’i('^AP2(-T).piM+P2(-r) 

{XxP^^'"\\ni{pi{f)x)){XyP^^'"\\n2ip2{f)y)) 

{pX.p){f) = c“(p(/, Ay^“.y)x)) 

where a abbreviates X.p{T,X) 

This operation is motivated by the fact that each p gives rise to a (strong) fun- 
ctor. We allow a partial instantiation of p which can be defined by instantiating 
all other places with the identity function Xx^.x. The strength is needed in the 
definition of the /3-rule for p types, which, read as an equation, corresponds to 
weak initiality of the appropriate p(— )-algebra. 

We are now ready to define the reduction relation [>i C Tm x Tm. We first 
define top level /3-reduction by the following axioms 

{Xx.t)u \>p u[x := t] 

7ri(pair3it2) l>/3 1 * 3g{1,2} 

case 3ii2(ini m) 0/3 tiM 3 g{1,2} 

It^ ^’ t(c m) 0/3 t(p(lt^ '’ t)u) 

and then define OiCTmxTmas the congruence closure: 

t 0/3 u u\>\u' t Oi t' 

t\>iu tu Oi t'u tu Oi tu' Xx.t Oi Xx.t' 

The case for — >■ works only because pi is closed by definition. 
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We define the set of strongly normalizing terms of type cr inductively by 
the rule: 



t G Tm*" Mt' G Tm‘".(t >i t') => t' & SN*" 
t G SN*" 

Our goal is to give a predicative proof of the strong normalization theorem: 

tGTm'^ 

Theorem 1. 

t G SN"" 

3 Proving Strong Normalisation Using Saturated Sets 

Even for the simply typed lambda calculus strong normalisation cannot be pro- 
ven by a mere induction over the term structure, since an application (Xx.t) s 
can beta-reduce to a term t[x := s] that neither is a subterm of t nor of s. To 
strengthen the induction hypothesis, Tait [Tai67] introduced the set of compu- 
table terms [[cr]] C SN'^ of type a. E.g., given P C SN'", Q C SN"^ we define 

P^Q.-{te \ \/uGP.tue Q} 

la rj := ][ct] ^ |t] 

The new obligation T C ][cr][ can be proven by induction over the terms (cf. 
Prop. 11) and the application case now is trivial. 

But how does one extend this to other types, like the type of natural num- 
bers? In [GLT89] it is suggested to interpret Nat by all strongly normalizing 
terms of this type. However, one has to pay a high price for this when showing 
the soundness of the eliminator and it is not clear how this technique can be 
extended to systems like the one presented here. Here we follow a different way 
and construct the interpretation of all other types introduction based, i.e., 

t G |Nat][ 

0 G INatJ g ^ g 

However, there are a lot of strongly normalizing terms which are not included 
in this definition. The basic idea is that the computable terms are the ones 
such that all computation paths end up in [[NatJ, i.e., we may want to add the 
following rule 



t G Tm^=‘ 



'iu.t\>iu => M G [[NatJ 
t G [[Nat] 



(comp) 



But this is just the definition of SN^^*! The key technical insight we use is to 
restrict attention to (strongly normalizing) terms whose canonical computation, 
which we call weak head reduction (>whd)) ends up in [[Nat] or which are cano- 
nically irreducible, such terms we call void (Void). Sets of strongly normalizing 
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terms which are closed under canonical computations and which include all void 
terms we call saturated (SAT). In the example we would replace the rule (comp) 
by the two rules 

t G Void^^* tGSN^^‘ t' G INatJ 

(satl) (sat2) 

t G |Nat]] t G |Nat]] 

We are now going to define the notions Void and Owhd for our calculus.® We 
define evaluation contexts as eliminator terms with a hole in the key position 

E[X] ::= X ti \ ttj X \ case tit 2 X \ It t\ X 

Weak head reduction >whd C |>i is defined as the least relation closed under the 
/3-axioms and under evaluation contexts. 

t ^ rr t whd ^ 

t[>iu E[t]t>whdE[u] 

Note that Owhd is deterministic. Furthermore we define the set Void as the least 
set which includes variables and which is closed under evaluation contexts: 

x G V t G Void E[x] G SN 

X G Void E[t] G Void 

We write Void‘d for Void fl Tm'^. We verify the syntactic properties which are 
needed in the proof and which motivate the definition of Owhd^ 

Lemma 1. 

t Owhd u t[>t' t Owhd t' E[t'] G SN 

1. 3. — ^ 

u = t'y 3u' .t' Owhd u' A u\>* u' E\t] G SN 

t G Void G SN E[t]\>^hdt' t, t', i3[x] G SN 

^ / 

E[t] G SN ■ E[t] G SN 



We omit the proof here. Note that the first property is a weak form of standar- 
disation, expressing that weak head reduction can only be postponed but not 
avoided. This property is needed to show some of the other properties, which 
in general can be verified by rule induction over the definition of SN. A simple 
corollary of 2. is that Void C SN. 

Given a set of strongly normalizing terms P C SN*^ we define its saturation 
P* C SN'^ as the least set closed under 



tGP 

(emb) 

tGP* 



t G Void‘d 
tGP* 



(satl) 



tGSN'^ tl>whdi' t'GP* 
tGP* 



(sat2) 



We say that a set P C SN”^ is saturated iff P* C P and write P G SAT*^. 
Obviously, P* G SAT"". 

® Note that the type Nat can be represented as fiX.l + X, then define 0 = 
unit) : Nat, S = (in2 x) : Nat — >• Nat 
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4 A Predicative Interpretation of Types 



Following Tait, the interpretations |cr] of all closed types cr G Ty will be satu- 
rated sets. But how about the types with free type variables? We use Girard’s 
approach, who extended Tait’s method to System F [Gir72]: Open types are ope- 
rators on saturated sets (Girard actually used his candidate sets, which are more 
restrictive than saturated sets). Transferred to our notation and terminology, he 
defined the semantics of second-order quantified types as 

lnY.a{X)j{P) := f| la{X,YMP,Q) 

QeSAT 

making splendid use of impredicativity: He quantifies over all saturated sets 
while defining one. Since we do not quantify over types but use open types only 
to define recursive types, we can give the interpretation by inductive definitions 
(i.e., predicatively). Technically, this requires the “urelement” relation U to be 
defined simultaneously with the interpretations. Given a G Ty(4C) and closed 
types Tj G Ty for 1 < i < n = |X|, we will define 

IcrKP) C P, C for 1 < i < n 

C T m’’* X T 1 < i < n 



such that the following properties hold: 

Saturated If all P, G SAT^* then [[crK-P) G SAT'^^'’’^ 
Monotone [[cr]] is monotone in all arguments, i.e.. 



VI < i < n. Pi C Qi 

H(-P) c H(Q) 



Set based |(t]] is set based by 14°^ . For all 1 < i < n, t G and u G SN’’* 

the interpretation |cr]] satisfies 



t&MiP) uu^ t 

u e 



(sbl) 



M(SN") 

t G laj{W^{t)) 



(sb2) 



Note that (sbl) can be read as t G |crj(-f*) ^ Pi- Informally, this 

states that the ith component urelements of t must be in the original set of 
urelements P^. Likewise, (sb2) states that t must be reconstructible out of the 
urelements extracted from t. 

We require the operators to be set based for the following reason: The inter- 
pretation M := lfiX.a}{P) of an inductive type is defined by 



telaj{P,M) 
ct € M 



(cons') 



However, this cannot be a rule of an inductive definition since M, which we want 
to define, does not appear strictly positive in the premise. Although X appears 
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strictly positive in the type a, M cannot be said to appear strictly positive, since 
it is argument of [[ct], not of a, and we do not know “what the operator is doing 
with M” . Monotonicity is not strong enough for our purposes, and this is where 
set-basedness comes in: 

Proposition 1. Every [[(t]](P) is equivalent to a predicate which is strictly po- 
sitive in P - that is for t G 

t G H(P) ^ t G H(SN") A VA Uf{t) C p 



Proof. 

Assuming t G [[(t]](P), we obtain t G |cr]](SN’^) by (mon) and U[ (t) C for 
all i by (sbl). 

<^= Using (sb2), t G |cr]](SN’^) entails 

t G la\{W{t)) 

Since by assumption W^{f) C P (component wise), we can derive t G |cr]](P) 
by (mon). □ 

In the following we give definitions for [[cr]] and . 



(Const),(Var),(Arr) Let (7 G Ty and t G Ty(X) 



m{p) = {Y 


uUf t <^= 


False 


Pl(P) = {unit}* 


uU} t <^= 


False 


[[A,KP) = P 


u U^' t 


i = j A u = t 


|cr ^ tJ(P) = laj (It1(P)) 


u Aff t 


3t' G [[crj . ulAf 1 1' 


The following lemma is standard, e.g. 


see [Alt93[ for a proof: 



Lemma 2. Given P C SN'^ and Q G SAT’’ we have that P Q £ SAT'’ 



Proposition 2. The interpretations [[0], [IJ, |cr — >• tJ are saturated, mo- 

notone and set based. 

Proof. We verify here the (only interesting) case that — >■ rj is set based: 

(sbl) Given t G [ct — >■ r]](P) and u t we know that there is a t' G [[ct]] s.t. 

tt' . Since tt' G |t](P) we can use (sbl) for r to conclude u G Pi. 
(sb2) Given t G [[cr — >■ rl(SN-) we have to show that t G [[cr — >• r[[(W'^“’'’'(t)): 
Assume u G |cr[[ we can use the hypothesis to show that tu £ SN and hence 
by (sb2) for t tu £ {tu)) . Glearly Uf{tu) C Uf^'^t and hence using 

mon of [[tJ we have tu G ft)) as required. □ 
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(Prod) Given cti,<T2 G Ty(X) we define 

lai X CT2l(P) = {pairtit2 | Vj G {1,2}. tj G [[ctjK-P)}* 
We define 14!^^ ^ inductively by the following rules 



( 1 ) 



jG{1,2| uUln, 



uW 



pairtit2 



(pair) 



tGSN 






X<72 



(clos^) 



Proposition 3. The interpretation |(Ti x (T 2 ]] of the product is monotone and 
set based. 

Proof. Since (mon) is obvious in this and all subsequent cases we concentrate 
on set based: 

(sbl) Given t G [cti x ct 2 ]](P) to show 

we exploit that the closure (1) is defined inductively and analyze the cases: 
(emb) t = pair G t 2 where tj G [[(jj]](P). Hence u t can only have 

been derived from tj. Then (sbl) for aj implies u £ Pi. 

(satl) For t G Void the precondition t is never derivable. 

(sat2) We have t G SN and t >whd t' and assume u t to show u £ Pi. 

Since t has a weak head reduct, it cannot be of the form pairtit 2 - Thus 
u t can only have been derived by (clos^) and since >whd is 

deterministic we have u t' . Now, the ind.hyp. for t' entails u £ Pi. 

(sb2) Given t G [cti x ct 2 ]](SN) we show 

t G |(Ti X it)) 

by induction over the closure rules: 

(emb) t = pair ti t 2 where tj G [[CTj]](SN). We apply the ind.hyp. to de- 
rive tj G [[(Tj]](W‘^-> (tj)). Since {tj) C t/t{"^^'^^(pair ti 12 ) by (pair) 
we use (mon) to derive tj G |crj]](W'^i^'^^(pairtit 2 )) and hence t £ 

lai X a2](l4‘^^^^Hi))- 

(satl) Since \a\ x (T 2 I is defined as a closure it contains all t G Void. 

(sat2) We have t G SN, ^l>whd^^ and the ind.hyp. t' G [cti x CT 2 ]] (W'^^^'^^(t')) . 
(clos^) implies that hT^^^'^^{t') C W^^^'^'^{t) and hence using (mon) we 
know t' G [[(Ti X CT 2 ](W'^^^‘^^(t)). We use the premises again and apply 
(sat2) for x CT 2 ] to derive t G |(Ti x cr 2 ]](W'^^^'^^(t)) 

□ 

Since we have not used x -specific properties in the case that the last step was 
(clos^) we can transfer these parts of the proof to sum and inductive types. 
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(Sum) Given <ti,(T 2 G Ty(X) we define 



ki + 0-2K-P) = I J G {1,2} At G [[crJ(P)}* 

We define inductively by the following rules (j G (1, 2}) 

u t t G SN t >whd t' u t' 

(inj) 



irij t 






+ CT2 



t 



(CIOS'*") 



Proposition 4. The interpretation |(Ti + a 2 ^ of the disjoint union is monotone 
and set based. 

Proof. 

(sbl) By induction on t G [[cti + 0 - 2 ]] (P): 

(emb) t = \rij s and s G [[CTj]](P). Since u t must have been derived 

from u s, we may apply the ind.hyp. to conclude u £ Pi. 
(satl),(sat2) As before for x. 

(sb2) By induction on t G [[cti + cr 2 ]](SN): 

(emb) t = \r\j s and s G [[CTj](SN). By ind.hyp. we have s G \(jj\{U'’^{s)). 
Since Idp (s) C s) we can show s G |(Tj]](W^i''''^^ (irij s)) using 

(mon) and hence t G |cri + {£)) . 

(satl),(sat2) As before for x. □ 



(Mu) Given cr G Ty(X, AT) where n = |X| we define \iiX.a\{P) inductively by 
(satl), (sat2) and: 



t G H(P, SN^^-'") Vw. t ^ u€ lp.X.a}{P) 

ct G lfiX.aj{P) 



(cons) 



We could not have used the saturation operator * here instead of (satl) and 
(sat2), since saturation and (cons) may have to be interleaved. 

Note that |/xX.cr]] appears only strictly positively in the premises! By Prop. 1 
(cons) is equivalent to the rule (cons’) given on page 29. We could not have used 
cons’ for the definition because |/rX.cr]] appears non-positively as an argument 
to [[ct]]. 

We also define inductively: 



I <i <n uUf t 
ct 



(non-rec) 



t' 



t'K+it 



ct 



(rec) 



t G SN t >whd t' u t' 

uUf^-^t 



(clos'^) 
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Proposition 5. The interpretation l/iX.cr] of inductive types is monotone and 
set based. 

Proof. We omit (mon) since this follows from the fact that least fixpoints pre- 
serve monotonicity: 

(sbl) We define a family of relations R by 

u Ri t {t G \p,X.a\{P) u G Pi) 
and show that Ri is closed under the rules defining 

(non-rec) Given u Uf t and ct G \ijlX . a\{P) we show u G Pi. Since from 
the second assumption we can infer t G our goal 

follows by (sbl) for a, using the first assumption. 

(rec) As before we have t G [o'K-f’j Hence, using (sbl) for ct, 

the premise t' t implies t' G \p.X.a\{P). Now we use the ind.hyp. 
u Ri t' to conclude u G Pi. 

(clos^) Assuming t G SN and t >whd t' we exploit (sat2) for lp.X.a}{P). 
(sb2) We show that the set 

Q = {t\tG lp.X.aj(Uf^^-'^{t))} 

is closed under the rules defining |/tX.ct]](SN'^). 

(cons) We assume 

tG[[CTKSN",Q) (2) 

which by using (sb2) for ct (and Q ^ SN) entails 

tGlaj{W{t)) (3) 

Using (cons’), to show that ct G Q it suffices to show 
t G laj(U>^^--{ct), lpiX.aj{Uf^^--{ct))) 

We derive this from 3 using (mon), which leaves us two subgoals 

1. For 1 < i < n prove that Ufft) C {ct), which is an immediate 

consequence from (non-rec). 

2. To s\\o^ Ufj^ift) C {ct)) assume 

t ^n+l ^ ( 4 ) 

Under this assumption we have that Uf^ '^{t') C Uf^ '^{ct) by (rec). 
Using (sbl) for ct on 2 and 4 we have that t' G Q, i.e., 

t' G IfiX.am^^-^it')) 

and hence using (mon) t' G \pLX.a\iU^^-^ {cf)). 

(satl),(sat2) As for x. □ 

Having defined the interpretation for all types we show that the interpretation 
is compatible with substitution: 

Proposition 6. Given r G Ty(X) and (Ji G Ty for 1 < i < |X| we have 

H([H) = Ir(CT)l 

Proof. Straightforward induction on r G Ty(X). □ 
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5 Strong Normalisation 

We have to show that all constructions are sound wrt. our semantics. The verifi- 
cation for simple types is standard (see [Alt93]) and summarized by the following 
proposition: 

Proposition 7. Given ct, t G Ty the following implications hold 

tefa^Tj uefai Wu e laj.t[x := u] e Irj 

(sem-app) (sem-lam) 

tu G |r] Xx.t G [[(T — >■ r] 

The difficult case is (sem-lam), since is defined elimination based. In contrast, 
the semantics for all other type constructors introduced so far is constructor 
based, hence the soundness of constructors is trivial: 

Proposition 8. 



unitG PI 

pair^^’^^ G \cri — >■ fT 2 — >■ (cri x (T 2 )]] 

g _|_ U2)j] z G {1, 2} 

G It{plX.t) — >■ p,X.Tj 

To show the soundness of eliminators we have to exploit the saturatedness. We 
postpone the case for It since its soundness has to be shown mutually with the 
soundness of strength. 

Proposition 9. 

TTp’'^^ G [(cTi X (T 2 ) (Tii * G {1, 2} 

caseQ G [[0 — >■ crj 

case'^i’'^^’^ G [(cri p) -)> (ct2 p) ^ (cti -b CT 2 ) -)> pi 

Proof. We show soundness for the binary case to illustrate the idea: Given ti G 
pi p 1 and 



M G pi -b CT 2 ] (5) 

we prove t = case tit2U G p] by induction over the rules used to derive (5): 

(satl) If u G Void then case tit 2 U G Void C p], using (satl) for p. 

(sat2) Given u G SN, u l>whd u' with u' G pi -b (J 2 ]. Now by ind.hyp. we have 
that case tit 2 u' G pj and we observe that to^hdcase tit 2 u' . Using Lemma I 
we can show f G SN and hence by (sat2) t G pj. 

(emb) u = \r\iu' with u' G pij. Using Lemma I we derive that t G SN. We 
have t l>whd tiu' and from the premises we know tiu' G p]. Hence by (sat2) 
fGPl. □ 

We are now ready to establish the soundness of It and strength: 
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Proposition 10. Given p G Ty(X), let n = |X|; 

1. Assume ai,Ti G Ty, Pi G SAT‘"% Q, G SAT^^ and fi G Pi Qi for I < i < n, 
we have that 

pif) G M{P) ^ M(Q) 

2. If n > 1 assume Ti G Ty and Pi G SAT^* for 1 < i < n. Let ct G Ty and 
Q G SAT'^, it holds that 

l^x.p(x.x).. g (i^j(p^g) ^ Q) ^ lpX.p}{P) ^ Q 
Proof. We show both properties by mutual induction on p G Ty(TC): 

1. For all cases but (Mu) the property follows from the ind.hyp. 1. and Prop. 7, 
8 and 9. For (Mu) we also have to use the 2nd part of the ind.hyp. 

2. Assume / G [[pK-Pj Q) Q we define 

S = {t\\tftGQ} 

Note that It / G S' Q by definition. We show that S is closed under the 
rules defining [[/iJf.p]]: 

(satl) If t G Void then \tft G Void C Q using (satl) for Q. 

(sat2) We have t G SN, t >whd t' and t' G S, i.e., \t ft' G Q. From these 
assumptions we infer It ft >whd It ft' . Using Lemma 1 we can show It ft G 
SN and hence, exploiting the saturatedness of Q, by (sat2) It ft G Q, that 
is t G S. As a byproduct we have shown S G SAT. 

(cons) For this rule from the assumption t G [[p]](P, S) we have to show 
ct G S, or, by definition of S, lt/(ct) G Q. Using the first part of the 
ind.hyp. and the saturatedness of S shown above, we establish® 

p{T,\tf)GM{P,s)^M{p,Q) 

Now using our assumptions we can further establish 

f{p{\tf)t)GQ 

We observe that lt/(ct) Owhd /(p(lt/)t) and using Lemma 1 we can 
show lt/(ct) G SN. Hence by (sat2) lt/(ct) G Q. 

By minimality of [[pAT.p] we have that lpX.p}{P) C S and hence 

\tf GlpX.p}{P)=^Q 



Proposition 11 (Soundness). Given U = : CTi, . . . , and Ui G \(Ji\ 

for 1 < i < n it follows that 

P h t : T t[x := u] G [[rj 

Proof. By induction over the derivation of T h t : r using Prop. 7-10. □ 

Theorem 1 is now a simple corollary: 

Proof. Given T h t : r by (satl) we know Xi G [[cTn]] and hence by Prop. 11 
t[x = x\g [r]] C SN''”. □ 



p(lt/) is an abbreviation of p{\x^ .x, It/), cf. the definition of strength in Sect. 2. 
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6 Coinductive Types 

We shall sketch in this section how to extend our construction to coinductive 
types, i.e., introduce a type constructor v to introduce terminal coalgebras. We 
will use greatest fixpoints of strictly positive operators. 

6.1 Extending the Calculus 

The calculus is given by the following extensions of A^: 
pGTy(X,F) 

Type constructor: (Nu) 

vY.p G Ty(X) 

Constants: : {vX.p) — >• p{vX.p) 

■ ((j p(cr)) — >• (j — >■ vX.p 

Strength: {vX.p){f) = . p{f , Xy‘'°‘ .y){d°‘ x)) 

where a stands for X.p{cr,X) 

/3 axiom: d(Co^'^’'^ /t) l> p(Co /)(/t) 

Evaluation context: E[X] ::= • • • | dAf 

We interpret Owhd and Void wrt. to the extended definition of E[X], We 
note that Lemma 1 remains true under this extension and we now understand 
Theorem 1 wrt. the extended calculus. 
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Note that different to the /i types we have not explicitely closed the interpretation 
under (satl) and (sat2). However, we can show: 

Proposition 12. The interpretation of coinductive types is saturated. 

Proof. We show that 



Ij^x.piipy c i,.x.pj{P) 

by verifying that \vX.p^{P)* is closed under (destr’) (and hence equivalently 
under (destrl) and (destr2)) by induction over t £ \vX.p\{P)*: 

(satl) If t G Void then At G Void C [[p](P, \vX.p\{P)*) by (satl) for p. 

(sat2) Given t G SN, t >whd t', by ind.hyp we assume that 

dt'G M(P, InX.pjiPy). 

Since At G SN by Lemma 1 and dt >whd we can use (sat2) for p. 

(emb) Given t G lirX.pl{P) we know that 

At£M{PA^x.pj{P)) 

api{P,l^x.pj{py) 

using (mon) and lvX.pl{P) C li^X.pJ{Py 

To show (sb2) we need an auxiliary relation < C x 

which is inductively defined by 

t G [[i/X.pKSN"') t" < t' t' At 

(reff) (trans) 

Intuitively, < is a generalization of the prefix relation on streams. 
t' < t 

Lemma 3. 

t' G ivx.p\{w^-yt)) 

Proof. Given a fixed t G [[:^Ar./9]](SN’^) we show that the set <{t) is closed under 
(destr’) for \vX.p\{U^^'P{t)) and hence by (co-elim)^ the rule holds. 

We have to show s <t (i.e., s G <{t)) implies 

ds G \p\{U''^-P{t),<{t)) 

We show this by induction over s < t: 

(refl) We have to show 

dtGM(w^^-"W,<W) 

By (sb2) for p we know At G \p^ifUP {At)) . For 1 < t < n (non-rec) implies 
that Uf{Af) C Uf '^(t), and using (trans) and (refi) it is easy to see that 
Ufj^yAt) C <{t). Hence by (mon) for [[pj we have At G lpl{W'^'^ {t) , <{t)) . 

See introduction, page 23. 
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(trans) Given 



t' di (6) 

and as ind.hyp. dt" G we have to show 

dt" 

Using (rec) and (6) we know that C Using (trans) and (6) 

we know <{t') C <{t) and hence by applying (mon) for [[pj for the ind.hyp. 
we have dt" G 



Proposition 13. [[i/AT.p] is monotone and set based. 
Proof. 

(sbl) We show that 



u Ri t : t G li^X.pJ{P) u & Pi 

is closed under the rules defining 

(non-rec) We have dt G [[pK-f; and hence by (sbl) for p the 

premise u Uf t implies u € Pi. 

(rec) As before we have dt G [[pJ(-P) Hence, using (sbl) for p, 

the first premise t' dt implies t' G lvX.p\{P). Now we use the 

second premise t' Ri u to conclude u £ Pi. 

(sb2) Follows from Lemma 3 for t < t. 



6.3 Extending Sonndness 

The soundness of d follows directly from the definition of n: 

Proposition 14. 

d^-'’ G liirX.p) p{nX.p)j 
We have to extend Prop. 10 by a case for Co: 

Proposition 15. Prop. 10 extended by: 

3. If n > I assume Ti G Ty and Pi G SAT^* for 1 < i < n. Let a G Ty and 
Q G SAT'^; it holds that 

CoX p(^’X),. g (g ^ M(P,Q)) ^ Q ^ ii^X.pliP) 
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Proof. We have to extend 1. by the case for v but the reasoning is the same as 
for II. Let us consider 3.: Assuming f £ Q ^ IpK-P; Q) we show that 

S' = ft\t€Q} 



is closed under (destr’). 

This entails S C liiX.p}{P), since liiX.pl{P) is defined as the greatest fix- 
point of the rule (destr’), and thus our claim follows. 

The definition of S implies that Co f G Q ^ S (writing Co for 
Assuming t G Q we have to show that d(Co/t) G [[/9]](P, Q). We use (sat2) 
since d(Co/t) >whd p{Co f){ft). By ind.hyp. we know that p{Co f) G p{P,Q) 
p{P,S), which suffices to show that the reduct is in p{P,S). We finish by ob- 
serving that an application of Lemma 1 shows that d {Co ft) G SN. □ 

Prop. 11 can be extended to the new cases using Prop. 14 and 15 and hence 
Theorem 1 can be extended to X^'^. 

7 Conclusions and Further Work 

It is straightforward to extend the construction presented here to primitive re- 
cursion 



RgX.T,(T . X a) —t a) (/iX.t) —t a 



and corecursion 



(-pX.r.cr . t{{iiX.t) + a)) — >■ CT — >■ vX.T, 

which we have to omit here due to lack of space. It may be argued that a syntactic 
approach to strong normalisation a la Beni [Ben98] may also be extended to a 
system as general as ours. However, we believe that the semantic approach using 
set based operators will allow further generalizations such as a functorial calculus 
(e.g., see [JBM98]) and heterogenous datatypes as discussed in [AR99]. 
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Abstract. We define two type assignment systems for first-order rewriting ex- 
tended with application, A-abstraction, and /^-reduction, using a combination of 
(tu-free) intersection types and second-order polymorphic types. The first system 
is the general one, for which we prove subject reduction, and strong normalisation 
of typeable terms. The second is a decidable subsystem of the first, by restricting 
to Rank 2 (intersection and quantified) types. For this system we define, using an 
extended notion of unification, a notion of principal typing which is more general 
than ML’s principal type property, since also the types for the free variables of 
terms are inferred. 



Introduction 

Since the first investigations on combinations of A-calculus (LC) and term rewriting sy- 
stems (TRS) [1 1,17,12,24], this topic has drawn attention from the theoretical computer 
science community. At first is was mainly the area of programming language design to 
be seen as the typical ground in which the theoretical results about the combinations 
of the two computational paradigms could better exploit their potentialities. Later on, 
the evolution of interactive proof development tools with inductive types, and theorem 
provers in general, disclosed a number of possible applications. 

Apart from the practical outcome, most of the theoretical investigations in this par- 
ticular field have shown that type disciplines provide an optimal environment in which 
rewrite rules and /3-reduction can interact without loss of their useful properties [12,13, 
24,7,8,5]. Type disciplines come in two main flavours: explicitly typed and type infe- 
rence systems (also called a la Curry). Systems based on the latter sort of type discipline 
are of great interest from the programming language design point of view. In fact, they 
save the programmer from specifying a type for each variable (i.e. no type annotation 
is required). Most of the results about combinations of LC and TRS, however, concern 
systems which are explicitly typed. 

* Partially supported by NATO Collaborative Research Grant CRG 970285 ‘Extended Rewriting 
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In the context of the LC alone, type inference disciplines have been widely studied, 
in particular with intersection types, and some work has also been done for TRS alone, 
more precisely, for Curryfied TRS ((mTRS) [6] which are first-order TRS with appli- 
cation, that correspond to the TRS underlying the programming language Clean [32]. 
The interactions between LC and TRS for type systems a la Curry, instead, has not 
been extensively investigated. They were first studied in [5], where CFTRS extended with 
A-abstraction and /3-reduction were defined, together with a notion of intersection type 
assignment for both the LC and the TRS fragments. In this paper we carry on this study 
by taking explicit polymorphism into account, namely the possibility, from the program- 
ming language point of view, of using the same program with arguments of different 
types. 

We take into account also another important feature of type systems for programming 
languages: the notion of principal type, that is, a type from which all the other types of 
a term can be derived. As a matter of fact we consider an even stronger property than 
principal types: the principal typing property. This means that any typing judgement for 
a term can be obtained from the principal one, that is, not only the type but also the basis 
(containing the type assumptions for the free variables) is obtained. The pragmatic value 
of this property is demonstrated in [23], where it is shown that, unlike principal types, 
principal typings provide support for separate compilation, incremental type inference, 
and for accurate type error messages. 

The type system of ML is polymorphic and has principal types, but its polymorphism 
is limited (some programs that arise naturally cannot be typed), and it does not have 
principal typings (see [15,23]). System F [21] provides a much more general notion of 
polymorphism, but lacks principal types, and type inference is undecidable in general 
(although it is decidable for some subsystems, in particular if we consider types of rank 
2 [25]). Intersection type systems [10] are somewhere in the middle with respect to 
polymorphism, and have principal typings. But type assignment is again undecidable; 
decidability is recovered if we restrict ourselves to intersection types of finite rank [27]. 
In view of the above results, two questions arise naturally: 

1 . Is the rank 2 combination of System F and the Intersection System also decidable? 

2. Does it have the principal typing property? 

Concerning the latter, there is a system for LC combining intersection types and 
System F, which has principal typings (see [22,30]). In this paper we extend the approach 
of that system to a combination of LC and CTTRS. In other words, we extend the type 
system of [5] further, adding ‘V’ as an extra type-constructor (i.e. explicit polymorphism). 
Although extending the set of types by adding ‘V’ does not extend the expressivity 
of the system in terms of typeable terms, the set of assignable types increases, and 
types can better express the behaviour of terms (see [14]). The resulting system has 
the expected properties: Subject Reduction, and Strong Normalization when the rewrite 
rules use a limited form of recursion (inspired by the General Schema of Jouannaud 
and Okada [24]). The proof of the latter follows the method of Tait-Girard’s reducibility 
candidates, extended in order to take the presence of (higher-order) algebraic rewriting 
into account. 

We also answer the first question in the affirmative. The restriction to types of rank 
2 of the combined system of polymorphic and intersection types is decidable. This 
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restricted system can be seen as a combination of the systems considered in [4] and [25]. 
The combination is two-fold: not only the type systems of those two papers are combined 
(resp. intersection and polymorphic types of rank 2), but also their calculi are combined 
(resp. ©TRS and LC). In our Rank 2 system each typeable term has a principal typing. 
This is the case also in the Rank 2 intersection system of [4], but not in the Rank 
2 polymorphic system of [25]. For the latter, a type inference algorithm of the same 
complexity of that of ML was given in [26], where the problems that occur due to the 
lack of principal types are discussed in detail. Our Rank 2 system generalizes also Jim’s 
system P 2 [23], which is a combination of ML -types and Rank 2 intersection types. 
Having Rank 2 quantified types in the system allows us to type for instance the constant 
runST used in [29], which cannot be typed in P 2 - 

This paper is organised as follows: In Section I we define TRS with application, 
A-abstraction and /3-reduction (TRS + (3), and in Section 2 the type assignment system. 
Section 3 deals with the strong normalization property for typeable terms. In Section 4 
we present the restriction of the general type assignment system to Rank 2. 

1 Term Rewriting Systems with /3-Reduction 

We present a combination of Lambda Calculus with Algebraic Rewriting, obtained by 
extending TRS with application, abstraction, and /3-reduction. We can also look at such 
calculi as extensions of Curryfied Term Rewriting Systems (©TRS) [6], by adding A- 
abstraction and /3-reduction. We assume the reader to be familiar with LC [9] and refer 
to [28,16] for rewrite systems. 

Definition 1 (Terms). Given a countable infinite set X of variables a;i, X 2 , X 3 , . . . (or 
X, y, z, x', y', . . .), a non-empty set P of function symbols F,G, each with a fixed 
arity, and a special binary operator, called application (Ap), the set T(P,X) of terms is 
defined inductively: 

1. X(ZT{P,X). 

2. If F G F\j{Ap} is an n-ary symbol (n > 0), and ... ,tn G T{F,X), then 
F{ti,...,tn) G T{F,X). 

3. Ift G T{F,X), and x G X, then Xx.t G T{F,X). 

Terms are considered modulo a-conversion. A context C[ ] is a term with a hole. A 
neutral term is a term not of the form Xx.t. A lambda term is a term not containing 
function symbols. An algebraic term is a term containing neither A nor Ap. The set of 
free variables of a term t is defined as usual, and denoted by FV{t). 

To denote a term-substitution, we use capital characters like ‘R’, instead of Greek 
characters like ‘ct’, which will be used to denote types. Sometimes we use the notation 
{xi ^ ti, . . . ,Xn ^ tn}. We write for the result of applying the term-substitution R 
to t. Reductions are defined through rewrite rules together with a /3-reduction rule. 

Definition 2 (Reduction). A rewrite rule is a pair fl,r) of terms, written I -G r. Three 
conditions are imposed: I ^ X, I is an algebraic term, and FV{r) C FVfl). The /3-rule 
is defined by: Ap{Xx.t, u) -Gp A rewrite rule I — >■ r determines a set of 
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rewrite steps C[^^] — C[r^] for all term-substitutions R and contexts C[ ]. Likewise, 
for any t and u, C[Ap{Xx.t, u)] Concatenating rewrite steps we have 

rewrite sequences fp — >■ — >■ ^2 — ^ If fo > 0) we also write 

to — >■* tn, and fo ~ tn if fo — >■* in one step or more. 

A Term Rewriting System with (3-reduction rule (TRS + (3) is defined by a set R of 
rewrite rules. 

Note that the rewrite rules considered in this paper may contain A-abstractions in the 
right-hand sides. A TRS -F /3 is strongly normalizing, or terminating, if all the rewrite 
sequences are finite. It is confluent if for all t such that t u and t v, there exists 
s such that u -^* s and v s. We take the view that in a rewrite rule a certain symbol 

is defined: F is a defined symbol if there is a rewrite rule F{t\, . . . , f„) — r. Q G .F 

is called a constructor if Q is not a defined symbol. Notice that Ap cannot be a defined 
symbol since it cannot appear in the left-hand side of a rewrite rule. 

Example 3. The following TRS -F (3 defines the functions append and map on lists 
and establishes the associativity of append; nil and cons are constructors, 
append (nil, Z) — > / 

append (cons (x, Z), Z') — ^ cons(x,append(Z, Z')) 

append (append (Z, Z'), Z") ^ append (Z, (append (Z', Z")) 
map(/, nil) — ^ nil 

map(/, cons(i/, Z)) ^ cons(Ap(/, y), map(/, Z)) 

Since variables in TRS + (3 can be substituted by A-expressions, we obtain the usual 
functional programming paradigm, extended with (recursive) definitions of operators 
and data structures. 

One could argue that the map function of the above example works properly only 
when / is replaced by a A-expression. What if we would like to substitute a defined 
symbol, say G (with arity 1), for the variable /? This is not allowed by our syntax, 
since Curryfication is not used on algebraic terms, i.e. an element of the signature is 
not a term by itself This makes sense; otherwise we could reduce map(G, cons(y, Z)) 
to cons(Ap(G, y), map(/, Z)) and this would force us to add a further rule stating that 
Ap{G, y) can be reduced to G{y), so adding extra rules and allowing also Ap in left- 
hand sides of reduction rules. In our approach, instead, using A -abstraction, the desired 
result is obtained simply by instantiating / with the correct term Ax.G(x). It will be the 
/3-rule which will produce G(x) out of Ap{\x.G{x),y). This means that we can treat 
the “mapping” of either a defined symbol or of a lambda-calculus function uniformly. 

Notice how, by allowing A-abstractions in the right-hand sides, it is possible to define 
rules like maptwice(/, Z) — > map(Ax.Ap(/, Ap(/, x)), Z). 

2 A Polymorphic Intersection System for TRS + (3 

We define a type assignment system for TRS-F/3 that contains sorts (constant types), 
arrow-, intersection- and universally quantified types. We assume the reader to be familiar 
with intersection type assignment systems, and refer to [10,1,3] for more details. 

Several systems can be considered as fragments of our type assignment system: 
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1. The system of [5]: V-free fragment 

2. The system of [6]: A-free, V-free fragment 

3. The system of [3]: sort- free, V-free, LC-fragment 

4. The type assignment version of System F [21] : intersection- free LC-fragment 

5. The system of [30]: sort-free LC-fragment 

Indeed, the latter system is not a proper fragment, since we use strict intersection 
types (i.e. an intersection type cannot be the right-hand side of an arrow type). However 
this is not an actual difference, since the use of strict intersection types, while simplifying 
the typing procedures, does not affect the typing power. Any term typeable in the frill 
intersection type discipline can be given a strict type and vice-versa [1]. 

For what concerns System F, its type assignment version can be seen as a fragment 
of our system, but our system is not a pure intersection-extension: we cannot quan- 
tify intersection types. Again, this is not a real problem: for any universally quantified 
intersection type we have an equivalent type of the form (Va.cri)n(Va;.(J 2 ). 

Definition 4 (Types). Let l±l Vl be a set of type-variables, where = {ipo,<p\, . . .} 
is the set of free variables, and A = {ao,ai, . . .} the set of bound variables. Let 
S = {so) si, . . .} be a set of sorts. Ts, the set of polymorphic strict types, and T, the set 
of polymorphic strict intersection types, are defined by: 

Ts::=ip\s\{T^Ts)\'ia.Ts[a/ip],Tr.= {Tsn---n%) 

For various reasons (defrnifion of operations on fypes, definition of unification), we 
distinguish syntactically between free type-variables (in <P) and bound type-variables (in 
A). As usual associates to the right, and ‘n’ binds stronger than which binds 
stronger than ‘V’; so pn^— J-Va.y— >-(5 stands for ((pnp)^(Va.(j^S))) . Also, Va.a is 
used as abbreviation for V«i .V «2 • • ■ Vq;„.ct, and we assume that each variable is bound 
at most once in a type (renaming if necessary). In the meta- language, we denote by 
u\t jp\ (resp. a[r/a]) the substitution of the type-variable p (resp. ex) by t in cr. 

FV{a), the set of free variables of a type cr is defined as usual (nofe that by construc- 
tion, FV{a) C <P). A type is called closed if it contains no free variables, and ground if 
it contains no variables at all. 

Definition 5 (Relations on types). The relation < is defined as the least preorder (i.e. 
reflexive and transitive relation) on T such that: 

Vn>l,Vl<i< n[(Tin- • -ncTn < Va.a— >-r < ct— >-Va.T, {a not in a) 

a<T 'ia.a[a/ ip] <^a.T[oi/ ip] 'ia.a < of / a] 

p < cr&T < p cr— >-T < p^p cr < Va.cr, {a is fresh) 

Vn > 1, VI < f < n [ct < CTi] cr < criD- • -Han 
The equivalence relation ~ is defined by: cr ~ t a < t < a. We work with types 
modulo ~ . 

2.1 Type Assignment 
Definition 6 (Statement and Basis). 

1. A statement is an expression of the form t:a, where a G T. The term t is the 

subject and cr the predicate of t\a. 
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2. A basis is a set of statements with only distinet variables as subjeets. 

3. For bases Bi, . . . , Bn, B{Bi, . . . , Bn} is the basis defined by: 
x:ain- ■ -Dam G n{Bi, . . . , Bn} if and only if {x:a \, . . . , x'.am} is the 
(non-empty) set of all statements about x that oeeur in i?i U • • • U i?„. 

4. We extend < and ~ to bases by: B < B' and only if for every x'.a' G B' there 
is an x:a G B sueh that cr < a' , and B ^ B' if and only if B < B' < B. 

We will write B, x:a for the basis II{B, {x:a}}, when x does not oeeur in B, and write 
B\x for the basis obtained from B by removing the statement that has x as subjeet. 

One of the main features of type assignment systems, and interseetion systems in 
partieular, is to provide flexibility of typing. This feature seems in eontrast with the type 
rigidity implieitly possessed by funetion symbols. They have preeise arities and a preeise 
funetional behaviour, as expressed by the rewriting rules. 

Developing a type assignment eontaining funetion symbols neeessarily implies a 
sort of mediation, for what eoneems algebraie terms, between flexibility and rigidity. We 
aehieve this by using an environment providing a type for eaeh funetion symbol. Sueh 
a type, however, is not rigid: from it we ean derive many types to be used for different 
oeeurrenees of the symbol in a term, all of them ‘eonsistent’ with the type provided by 
the environment. 

Definition 7 (Environment). An environment is a mapping S \ T ^ 

In order to obtain valid instanees of the type provided by an environment for a funetion 
symbol we will use operations whieh are standard in type systems with interseetion types, 
suitably modified in order to take into aeeount the presenee of universal quantifiers. These 
operations are: substitution, expansion, lifting and closure. 

In type systems based on arrow types with type-variables, the operation of substitu- 
tion generates all valid instanees of a given type by replaeing types for type variables. 
In presenee of interseetion types, valid instanees eould also be the result of replaeing 
(sub)types of substitution instanees by the interseetion of a number of renamed eopies 
of that (sub)type. This is (roughly) what is performed by the operation of expansion. 
The operation of lifting, instead, generates instanees of types using the < relation. The 
last operation we eonsider, closure, is not present in other type systems with interseetion 
types and has been devised to deal in partieular with universal quantifieation. 

In the following we shall have to eonsider the notion of principal typing for a term, 
that is the typing from whieh all the possible typings for the term ean be derived. This 
ean be aehieved by means of the above diseussed operations. This implies that we shall 
have to define the above operations not only on types, but on type derivations as well. 
We shall use a triple {B, r, E) - where B is a basis, t a type, and E a set of types - 
as an abstraetion of a derivation for a term. Theorem 19 will guarantee that a triple is 
a sound representation of a derivation from the point of view of operations. Indeed for 
any operation op, B \-£ t:a implies B' \-£ t:a', where the triple representing the seeond 
derivation is obtained from the one for the first derivation by means of op. 

In the following, we shall define two versions of any of our four operations, one to 
be applied on types, the other one on triples representing typing derivations. For any 
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operation we shall use the same symbols to denote the two versions, since the context 
will always clarify any possible ambiguity. 

For substitution and lifting the versions on triples will be straightforward extensions 
of those on types, whereas for the other operations, expansion in particular, even if 
strongly related, the two versions will not be simple extensions of each other. 

Definition 8. The substitution {tp^p) : T ^ T, where (p is a type-variable in <P and 
p gTs, applied to a replaces all the occurrences of in ct by p, formally: 

{p^p){a)=a {p^p){a^T) = p){a)^{p^ p){t) 

((^H>p)(s) =S • -nCTn) = (v3H>p)(cri)n- • •n((pH>p)(cr„) 

{p^p){p) =p (<^H>p)(Va.cr) = Va.((^H>p)(cr) 

{p^p){p') = p', iip' ^P 

We will use S to denote a generic substitution. Substitutions extend to triples in the 
natural way: S{{B, a, E)) = {{x:S{p) \ x:p G B}, S{a),{S{p) \ p G E}). 

Two different definitions of expansion appear in the literature for LC, depending on 
whether one uses a set of types (see e.g. [34]) or a set of type variables (see e.g. [3]) 
to characterise the set of types affected by the expansion. We adapt to our system the 
definition given in [34]. The extension to deal with types containing sorts has already 
been done in [18], here quantifiers are also taken into account. 

As mentioned above, the operation of expansion deals with the replacement of a 
subtype of a type by an intersection of a number of renamed copies of that subtype. Hence 
an expansion is determined by a pair (/i, n) which indicates the subtype to be expanded 
and the number of copies that have to be generated. When a subtype is expanded, new 
type variables are generated, and other subtypes might be affected (e.g. the expansion 
of T in a^T might affect also cr. intuitively, each renamed copy of r will have an 
associated copy of cr; see [34] for a detailed explanation). Ground types are not affected 
by expansions since all renamed copies coincide (and crncr ~ a). 

Also, we need to define the notion of expansion not only for types, but for derivations 
as well, represented by triples. An expansion applied to a derivation should “produce” 
another well-formed derivation. This however cannot be the case unless, when defining 
the expansion on triples, the set of types that might be affected by the expansion includes 
also the types in the basis and those assigned to the function symbols in the derivation 
(represented by the set E of the triple). This means that the definition of expansion on 
triples cannot, like for substitution, be a simple extension of that on types. However, 
instead of defining two quite different versions of expansion (for types and for derivati- 
ons), we shall define first the notion of expansion on triples, depending on a pair (^, n), 
and later the notion of expansion on types based on the one on triples. 

In the definition of expansion, given a pair (/i,n), to compute the triple obtained 
by applying the expansion determined by the given pair to a triple (H, ct, E), we first 
compute a set £f^{{B, a, E)) of affected types. The types modified by the expansion 
will be those that ‘end’ with a type in this set. The notion of last subtypes in a strict type 
plays an important role in this operation. 

Definition 9. The set of last subtypes of a type t gTs, last (r), is defined by: 
last{p) = {p} last(a^p) = {cr— >-p} U last{p) 

last{s) = |s} lastly a.a) = {ia.u} \J last{a[pa/ a]) 
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Note that for types of the form Va.cr, a is not a well-formed subtype according to 
our convention (free variables must belong to <?). For this reason we consider a mapping 
that associates to each a a different fresh G ™d rename a in cr, using 
In this way we can define subtypes of types in T, as usual. 

The definition of expansion, already non-trivial in the intersection system, becomes 
quite involved in the presence of universal quantifiers. We define it in four steps. 

Definition 10 (Expansion on triples). Let /r be a type in T, n > 2. The pair {p, n) 
determines an expansion that is a function from triples to triples in the 

following way: Let {B, a, E) be a triple {B a basis, a gT and E a set of types in T ; 
we assume that each variable is bound at most once in p, B, a, E). The triple 
(J, E)) is computed applying the following steps. 

1. Affected types: Let C^{{B, a, E)) be the set of types defined by: 

a) Any non-closed strict subtype of p is in Cfj,{{B,a,E)). 

b) Let T be a non-closed strict (sub)type occurring in {B, a, E). If r' is a most 

general instance (with respect to the universal quantifiers) of r such that 
last (r') n a, E)) ^ 0, then t' G E^{{B, a, E)). 

c) Any non-closed strict subtype of t G C^{{B, a, E)) is in C^{{B, a, E)). 

2. Renamings: Let )2^((i3, a, E)) = {pi, . . . , p^} be the set of free type variables 
occurring in B, a, p, E that appear in C^{{B, a, E)), and let Si(l<i<n) be the 
substitution that replaces every pj by a fresh variable pj, and every aj and pa^ by 
a* (actually. Si is just a renaming). 

3. Definition of the function Exaux from types to types: for any t G T (without loss of 
generality we assume that its bound variables are disjoint with those of p, B, a, E) 
the type Exauxif) obtained out of r by traversing r top-down and replacing in r 
a maximal non-closed subtype f3 such that there exists a most general instance 
(w.r.t. the universal quantifiers) [3' of [3 with last {j3') fl Cn({B, a,E)) 

a) by5i(/3)n---n5„(/3) if /?' = /?, 

b) otherwise by 

Pi {Si{j3'j) n • • • n Sni,l3'j) r\\/Si{a)Exaux{p[cj/^)[a/ci\) 
t<j<v 

(3 = Ma.p, Pj (1 < j < p) are all the most general instances of P satisfying 
the condition, and cj are fresh constants replacing the variables instantiated in 
the instance /?' of p. 

4. ((B, a, E)) is the triple 

({a; : Exaux{p) \x: pG B} , Exaux{<j) , {Exaux{p) \ P G E}) 

Definition 11 (Expansion on types). Given {p, n) and (B, ct, E), an expansion 
on types is defined by 

= EXauxis^ 

where Exaux is defined as in the previous definition. 

Some explanations are in order. The result of an operation of expansion on triples, 
and hence on types, is not unique because it depends on the choice of new variables 
in part 2 of the definition; but it is unique modulo renaming of variables (and this is 
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sufficient for our purpose). It is always a type in T: we never introduce an intersection at 
the right-hand side of an arrow type, and never quantify an intersection type (see part 3 ). 
A type might be affected by an expansion even if its free variables are disjoint with 
those of the subtype to be expanded. The reason is that universally quantified variables 
represent an infinite set of terms (their instances), so if one instance is affected, the whole 
type is affected. If we are applying an expansion operation to a universally quantified 
type, some instances may be expanded (if their last subtypes are in the set of computed 
types) whereas others are not (if their last subtypes are not in the set of computed types). 
In this case the expansion of the universally quantified type will be the intersection of 
the expansions of each class of instances. Since there is only a finite set of computed 
types, the operation is well defined. 

Example 12. Let 7 be and Ebe the expansion 

determined by 2 ) with respect to ( 0 , 7, 0 ). Then 

((0,7,0)) = V^i((0,7)) = and (to save space, we 

write I instead of (f’l) 

E{i) = n 

Let now 7 be Va2Vo;3.(i— >- q; 2)— >-(a3— >-i)— l-aa— >-a2, and £ be the same expansion. 
Then (( 0 , 7, 0 )) = {1, Va3.(i— >-i)— >-(a3— >-i)— >-a3— >-i, (1— >-i)— >-(03— >-i)— l-ag— l-i, 

i~i'i,a3 ~i'i,Q3 }, and 

£(7) = (Va3.(i-j>i)-)>(a3-)>i)-)>a3-)>i) n V«3.(f-)>f)-)>(a3-;>f)-)>a3-;>f)n 
(Va2Vo;|Va§.(}nf— >- q;2)— >■}) (7 (a§— >-f))— >- q;| H a|— >-a2)- 

For types in T without sorts and V, the operation of expansion defined by Ronchi 
della Rocca and Venneri [ 34 ] gives the same results as ours, modulo the relation ~ 
defined for full intersection types (but the representatives of equivalence classes chosen 
in [ 34 ] are not always types in T). 

The operation of lifting replaces basis and type by a smaller basis and a larger type, 
in the sense of < (see [ 2 ] for details). This operation allows us to eliminate intersections 
and universal quantifiers, using the < relation. 

Definition 13. An operation of lifting on triples is determined by a pair 
£ = <{Bo, To), (£1, Ti)> such that tq < n and Bi < Bq. 

L{{B,a,E)) = {B',a',E) 

where a' = ti, if ct = tq, otherwise a' = cr; and B' = Bi, if £ = £q, £' = £, 
otherwise. A lifting on types is determined by a pair £ = (tq, n) such that tq < n and 
defined by £(cr) = cr', where a' = t\, if cr = tq, and a' = cr, otherwise. 

The operation of closure introduces quantifiers, taking into account the basis where 
a type is used. 

Definition 14. A closure is an operation characterised by a type-variable {(p). It is 
defined by: 

Cl^({B,a,E)) = {B,T,E) 

where r = Vo:.cr[a/(p], if (p does not appear in £ (a is a fresh variable), and t = cr, 
otherwise. It is extended to types by: C'Z<^(cr) = (r), if C/^(( 0 , a, 0 )) = ( 0 , r, 0 ) 
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Definition 15. The set Ch of chains for types/triples is defined as the smallest set 
containing expansions, substitutions, liftings, and closures on types/triples, that is 
closed under composition. Chains are denoted as [0\ , . . . , 0„] . 

Notice that, although the operation of substitution seems redundant, in that one could 
simulate substitution via closure and lifting, this is only the case for type variables that 
do not occur in the basis. 



Definition 16 (Type Assignment Rules). 



1 . Type assignment (with respect to S) is defined by the following natural deduction 
system in sequent form (where all types displayed are in %, except for ai , . . . , cr„ 
in rule (JF) and cr in rules !),{<)). Note the use of a chain of operations in 

rule (.F). 



^ Jb.u ^ U O' \ ^ ^ 

(<): ^ 

n \-£ x:r 

B\-£ti:a^T B\-£t2'.o- 

( — 

B \-£ Ap{ti,t2)-.T 

B \-£ ti'.ai 

(F): 



B \-£ ficTin- • -ncTn 

B, x:a \-£ t\T 

(^7): ^ 

B \-£ Xx.t'.a^T 

B \~ £ tji'.(Tn . , 

{a) 



B ^£ 

B h£ f.a (VF)- ^ 

Fh^f:Va.a[a/^]^^^ F t:a[r/a] 



(a) If there exists a chain Ch on types such that ui— • — >an^cr = Ch{E{F)). 

(b) If (p does not occur (free) in B. 

2. We write B t:a, and say that t is typeable, if and only if this judgement is 
derivable using the above rules. 

3. If F is the set of types assigned to function symbols in such a derivation, we 
represent it by (F, a, E). 



As said before, the use of an environment in rule (F) introduces a notion of poly- 
morphism for our function symbols, which is an extension (with intersection types and 
general quantification) of the ML-style of polymorphism. The environment returns the 
‘principal type’ for a function symbol; this symbol can be used with types that are 
‘instances’ of its principal type, obtained by applying chains of operations. 

Note that the rule (<) is only defined for variables, and we have a (VF)-rule for 
arbitrary terms but not an (nF)-mle. Indeed, the ((TF)-mle for arbitrary terms can be 
derived from this system of rules. On the other hand, the (VF)-mle cannot be derived 
if it is not present in the system. This asymmetry comes from the fact that our types are 
strict with respect to intersection, but not with respect to V. 



Type Assignment for Rewrite Rules. Being able to infer a type for a term does not 
give any guarantee about the typing of the terms in any reduction path out of it. Indeed 
we need to make sure that the rewrite rules respect the intended functional behaviour for 
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the function symbols of the signature expressed by the environment. The environment, 
however, does not express a strict condition on the type of function symbols, leaving 
room to flexibility by letting us use different consistent instances of the type of a symbol 
for different occurrences of it. So, we would like to have a certain degree of flexibility 
also in the use of rewriting rules, without loosing the property of subject reduction, 
which is essential in type systems. In order to achieve this we define a notion of type 
assignment on rewrite rules, as done in [6], using the notion of principal triple. 

Definition 17. A triple (P, tt, E) is called a principal triple for t with respect to S, if 
the following conditions hold: 

(a) P \~£ t:TT, with associated triple (P, tt, E); 

(b) B \-£ t'.cr, with associated triple (P, cr, E'), implies that there is a chain on triples 
Ch such that Ch{{P, tt,E)) = {B, cr, E'). 

The typeability of rules ensures consistency with respect to the environment. 

Definition 18. 1 . We say that Z — r G R with defined symbol P is typeable with 

respect to £, if there are P, tt and E such that: 

a) (P, TT, E) is a principal triple for I with respect to £, and P \~£ rnr. 

b) In P \~£ 1:tt and P r-.ir all occurrences of P are typed with £{F). 

2. We say that a TRS + /3 is typeable with respect to £, if all r G R are. 

Note that for a rule P(fi, . . . , tn) — > r to be typeable, £{F) must be of the form 
Although £{F) cannot have an outermost universal quantifier, ifs 
free variables play the same role as universally quantified variables (since they can 
be instantiated by substitution operations). In particular, for the polymorphic identity 
function I we will use £{I) = p ^ ip. 



Subject Reduction. We will show that reductions preserve types in our system. To 
obtain this result, we first prove that the operations (substitution, expansion, lifting, and 
closure) are sound on typeable terms, that is if {B, a, E) represents B \-£ t:a, then, for 
any Ch, Ch({B, a, E)) represents a typing derivation for t. 

Theorem 19 (Soundness of Operations). Let Op be a substitution, an expansion, a 
lifting or a closure. If B \-£ t:a (with associated triple {B, a, E) ) and Op{{B, cr, E)) = 
{B' , a' , E'), then B' \-£ t:a' (with associated triple {B' , a' , E ') ). 

Proof. For Substitution and Lifting: by induction on the structure of derivations. For 
expansion: by induction on the structure of derivations, using the result for lifting in the 
case of (V/). For Closure: Direct by definition of closure, using rule (V/). 



A direct consequence of the above theorem for Lifting is that the following derivation 

rule is admissible. , 

B\~£ t'.cr a <T 

B L£ t'.T 



Also, the following is immediate. 
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Corollary 20. B \-£ ■ ■C\an, if and only if, B hg t\(Ti, for all 1 < i < n. 

Combining the above results for the different operations, we have: 

Theorem 21 (Soundness of Chains). Let Ch be a chain. Then, if B \-£ t:a (with 
associated triple {B,a,E)) and Ch({B,a, E)) = {B',a',E') then B' \-£ t:a' (with 
associated triple (B', a', E')). 

In the proof of Subject Reduction we will use one more lemma: 

Lemma 22. Let £ be an environment, t a term, and R a term-substitution. 

1. If B \-£ t:a and B' is a basis such that B' \-£ x^'.pfor every statement x:p G B, 
then B' \~£ t^\a. 

2. If there are B and a such that B \-£ t^:a, then for every x occurring in t there is a 
type px such that {x:px \ x occurs in t} \~£ t:a, and B \-£ x^:px. 

Theorem 23 (Subject Reduction). If B \-£ t:a and t —>■ t', then B \-£ t'\a. 

Proof. For /3-reduction the proof is standard. Let be the typeable rewrite rule 
applied in the rewrite step t ^ t' . We will prove that for every term-substitution R and 
type p, if B \-£ l^:p, then B p£ r^:p, which proves the theorem. 

Since r is typeable, there are P, tt and E such that {P, ir, E) is a principal triple for I 
with respect to £, and P p£ v.tt. Suppose R is a term-substitution such that B p£ P:p. 
By Lemma 22(2) there is a B' such that for every x:p G B' , B \-£ x^:p, and B' \-£ hp, 
represented by {B',p, E'). Since (P, tt, E) is a principal triple for / with respect to £,hy 
Definition 17 there is a chain C/i such that C/i((P, 7T, P)) = {B' , p,E'). Since, P \~£ r-.n, 
by Theorem 21 also B' \-£ r:p. Then by Lemma 22(1) B \-£ r^:p. 

3 Strong Normalisation 

Often in type systems types serve not only as partial specifications of the behaviour of 
terms, but also to ensure that reduction sequences terminate. In fact, this is a well-known 
property of the intersection system for LC, and of System F. The situation is different 
in TRS: a rule t ^ t may be typeable, although it obviously leads to non-termination. 
Inspired by the work of Jouannaud and Okada [24], who defined a general scheme of 
recursion that ensures termination of higher-order rewrite rules combined with LC, we 
define a general scheme for TRS + (3, such that typeability of the rewrite rules in the 
polymorphic intersection system defined in this paper implies strong normalisation of 
all typeable terms. 

Definition 24 (General Scheme of Recursion). Let P„ = Q u {P^, . . . , P”}, where 
P^, . . . , P" will be the defined symbols, and Q the set of constructors. We will assume 
that P^, . . . , P" are defined incrementally (i.e. there is no mutual recursion), by 
typeable rules that satisfy the general scheme: 

P* (C[x] , y) -G C'[P* (Cl[T] , y) , . . . , P* (C;;[T] ,y),y], 
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where x, y are sequences of variables such that xCy;C[ ], C’[ ], Ci[ €„[ ] are 
(sequences of) contexts with function symbols in and for every 1 < j < m, 

C[x] >mui Cj[x], where <l is the strict sub-term ordering (i.e. > denotes strict 
super-term) and ‘muF denotes multi-set extension. Moreover, if {P, tt, E) is the 
principal triple of F* (C[x] , y), the types associated to the variables y in P are the types 
of the corresponding arguments of P* in f(P®). 

This general scheme is a generalisation of primitive recursion. It imposes two main 
restrictions on the definition of functions: the terms in the multi-sets Cj[5;] are sub-terms 
of terms in C[a;] (this is the ‘primitive recursive’ aspect of the scheme), and the variables 
X must also appear as arguments in the left-hand side of the rule. Both restrictions are 
essential to prove the Strong Normalisation Theorem below. Although the general scheme 
has a primitive recursive aspect, it allows the definition of non-primitive functions thanks 
to the higher-order features available in TRS + (3\ for example, Ackermann’s function 
can be represented. Also the rewrite rules of Combinatory Logic are not recursive, so, 
in particular, satisfy the scheme, and therefore the systems that satisfy the scheme have 
full computational power. 

Using the power of the general schema, it is possible to prove the following 

Theorem 25 (Strong Normalisation). If the rewrite rules satisfy the general schema, 
any typeable term is strongly normalisable. 

The proof, which we omit for lack of space, can be carried on by using Tait-Girard’s 
method [20] and the techniques devised in [24] in order to cope with some of the 
difficulties that arise because of the presence of algebraic rewriting. 

It is possible to show that if we assume the rules to satisfy the general schema, a 
typeable TRS -I- (3 without critical pairs in R is locally confluent on typeable terms (we 
omit also this proof for lack of space), and hence, by Newman’s Lemma [31], we can 
deduce confluence from strong normalisation and local confluence. 

4 Restriction to Rank2 

In this section, we will present a decidable restriction of the type system as presented 
above, based on types of rank 2. Although the Rank 2 intersection system and the Rank 2 
polymorphic system for LC type exactly the same set of terms [35], their combination 
results in a system with more expressive power: polymorphism can be expressed directly 
(using the universal quantifier) and every typeable term has a principal type, as we will 
show below. The latter property does not hold in a system without intersection. 

4.1 Rank 2 Type Assignment 

The polymorphic intersection types of Rank 2, T), are a true subset of the set of poly- 
morphic intersection types as defined in Definition 4. 

Definition 26. We define polymorphic intersection types of Rank 2 in layers: 

Tc ::= P \ s \ {Tc ^ Tc) 7J ::= (7^ n • • • n 7^) 

7^ ::= Tc I (Va.r^[a/<p]) p 2 ::= Tc \ {71 T 2 ) 
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Below, we will define a unification procedure that will recursively go through types. 
However, using the sets defined above, not every subtype of a type is a legal type. This 
will cause a few problems, that will be dealt with. 

As for T, we will consider a relation on types, < 2 , that is the restriction to T 2 of 
the relation < defined in Definition 5. For the sake of clarity, we will give the formal 
definition here. 



Definition 27 (Relations on types). On 75, the pre-order (i.e. reflexive and transitive 
relation) <2 is defined by: 



(Tin---n(T„ <2 cTi, 

\/l<i<n.a <2 <Ji cr <2 (Tin- • -riCT; 
P< 2 <^,T< 2 f^ ^ <2 

'ia.a[a/ip\ <2 ct[t/p\, 

a <2 Va.cr[a/(^], 
a<2T 

The equivalence relation 



(1 < i < n) 

(n > 1) 

(r,/i G 75 ) 

(t G Tc) 

{ip not in a, and a fresh), 

'ia.u[a/ ip] <2 Va.r[a/(^]. 

2 is defined by: ct ~2 t ct <2 t <2 cr, and we extend 



<2 to bases in the same way as done for < , 



Notice that part ‘Va.cr — <2 cr— >-Va.T, if a does not occur in a’ is omitted, since 
a^\/a.T is not a type of Rank 2. 

The Rank 2 versions for the various operations are defined in much the same way as 
in [4], with the exception of the operation of closure and lifting, that were not used there. 
Notice that, because the operation of expansion will need to be defined in a different way 
than before, now we can use a pair basis-type (and no more a triple), as an abstraction for 
a derivation. The first three operations used for the Rank 2 system are straightforward 
variants of operations defined for the full system. 



Definition 28. 1. Substitution {ip^p) : 75 75 is defined as in Definition 8, but 

with the restriction that p G Tc- We use Ids for the substitution that replaces all 
variables by themselves, and write S for the set of all substitutions. 

For the sake of clarity, and in order to avoid writing [5i, . . . , for a chain of 
single type-variable substitutions, we will close the set of substitutions under 
composition ‘o’. 

2. Lifting is defined as in Definition 13, but with the restriction that < is taken to be 
<2 of Definition 27. 

3. C/oswre is defined as a pair of types (cr, 1 ^), with (j G 7^, by: 

{a,ip){{B,Tir\---r\Tn)) = 

where, for all 1 < i < n, r' = 'ia.a[a/ip\, if Tj = ct and ip does not appear in B (a 
fresh), and t' = n, otherwise. 

Below, we will also use {a, a) for a closure, with the intention that ((j[a/^],a) = 
{a, ip), and {a, ip) = [Cli , . . . , C/„] where, for 0<i<n, ai+i = Cli+i(o-i) and C/i+i = 
(ai,pi+i), and ao = a. 

The variant of expansion as used in the Rank 2 system is quite different from that 
of Definition 10. The reason for this is that expansion, normally, increases the rank of a 
type: 

(pi,2}(({x:pi^P2},pi,0})(pi^P2) = (plnpi)^p2, 
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a feature that is of course not allowed within a system that limits the rank of types. Since 
below expansion is only used in very precise situations (within the procedure unify^, 
and in the proof of Theorem 40), the solution is relatively easy: in the context of Rank 2 
types, expansion is only called on types in 7^, so it is defined to work well there, by 
replacing all types by an intersection; in particular, intersections are not created at the 
left of an arrow. 

Definition 29. Let i? be a Rank 2 basis, a G Ti, and n > 1. The n-fold Rank 2 
expansion with respect to the pair {B, a), -Ti ^ Tiis constructed as follows: 

Suppose V = {(/?!, . . . , (fim} is the set of all (free) variables occurring in {B, a). 
Choose m X n different variables , ipi, . . . , such that each 

(1 < i < n, 1 < j < m) does not occur in V. Let Si be the substitution that replaces every 
Pj by Then Rank 2 expansion is defined on types, bases, and pairs, respectively, by: 

n{B,a){T) =5i(T)n---n5„(r), 

n{B,cr){B') = {x:n(^B,a){p) \ x:p G B}, 

n(B,cr){{B',(7')) = {ni^B,a){B'),ni^B,a)W))- 

Notice that, if r G Ti, it can be that (r) (T • • • (T (r) is not a legal type. However, 
since each Si (r) G 72, for 1 < z < n, for the sake of clarity, we will not treat it 
separately. 

Notice that we have no need for the third parameter ‘E’ in this notion of expansion. 

Since all results in this section regard the Rank 2 system, we will use ‘expansion’ 
rather than ‘Rank 2 expansion.’ 

As before, operations will be grouped in chains. 

Definition 30. A Rank 2 chain (or R2 -chain for short) is a chain Ch of operations, 
composed of at most one expansion, at most one substitution, at most one lifting, and a 
number (> 0) of closures: Ch = [E, S, L,Cli,. . . Clm] = [E, 5, L, CZ] . 



Lemma 31. Let Ch be an R2-chain. 

1. If a G 7c, and Ch(a) G 72, then Ch (a) G 7~c, and there is a substitution S such 
that Ch{a) = S{a). 

2. If a G Ti, and Ch{a) G 7c , then there are a substitution S, and closures 
Cli , . . . , Cln, such that Ch{a) = [5, C/i, . . . , C/„] {a). 

3. If a G 7~c, and Ch{a) G 7i, then there exists a lifting-free R2-chain Ch' such that 
Ch{a) = Ch' {a). 

4. If a G 7f, and Ch{a) G 7c. then there is a substitution S such that 
Ch{a) = S{a). 

5. If a G Ti, and Ch{a) G Ti, then there are substitution S, and lifting L such that 
Ch{a) = [5,L](cr). 

We now come to the definition of Rank 2 type assignment. 



Definition 32. 1 . A Rank 2 environment is a mapping from T toTi- 

2. Rank 2 type assignment is defined by the following natural deduction system: 
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(< 2 ) 



x:a G B cr <2 r 



170 — (^) 

B x:t 

BGlh-.a^T BGlt2:a 
B\~l Ap{ti,t2):T 

B h| t:a 



BGlti-.ai ... BY-ltn'-dn 
B h| F{ti, . . .,tn)'o- 



(V7): 



( 



(^7): 



B hi B 



B, x:a h| t:r 
B h| Xx.t :a^T 

R 1-2 i-rr 






a) a G Ti, and r G 7c- 

b) If there exists a ehain Ch sueh that cti— • — ^cr „— >-(t = Ch{E{F)). 

c) If (/? does not oeeur in 73, and cr G 

d) If n > 1, and at G Tq , for every 1 < 7 < n. 

Notiee that, sinee quantification elimination is implicit in rule (< 2 ) when restricting 
the use of the quantifier to the left of arrows only, there is no longer need for a general 
(VTs) rule; as rule (nTT), its use is in a strict system limited to variables, and there its 
actions are already performed by (< 2 )- 

We have the following soundness result for chains of operations: 

Lemma 33. If a G Ti, B t:a, and Ch{{B, a)) = (7?', a'), then B' h| her'. 



4.2 Unification of Rank 2 Types 

In the context of types, unification is a procedure normally used to find a common 
instance for demanded and provided type for applications, i.e: if t\ has type and 
t2 has type p, then unification looks for a common instance of the types a and p such 
that Ap{ti , t2 ) can be typed properly. The unification algorithm unify^ presented in this 
section deals with just that problem. This means that it is not a full unification algorithm 
for types of Rank 2, but only an algorithm that finds the most general unifying chain 
for demanded and provided type. It is defined as a natural extension of Robinson’s 
well-known unification algorithm unify [33]. 

Definition 34. Unification of Curry types (extended with bound variables and type 
constants), unify : 7^ x 7^ — 5, is defined by: 

unify{ip, t) = unifyfr, <p) = (tpi-G-r), if ip does not occur in r or (/? = r 
unify{a, a) = unify{s, s) = Ids, 

unify{u^T, p^p) =82081, v/hexQ 8\ = unify {a, p), 82 = unify {8 i{t),8i{p)). 

(All non-specified cases, like unify{ai, a 2 ) with ai 0 . 2 , fail.) 

It is worthwhile to notice that the operation on types returned by unify is not really 
a substitution, since it allows, e.g., ip^a, without keeping track of the binder for a. 
This potentially will create wrong results, since unification can now substitute bound 
variables in unbound places. Therefore, special care has to be taken before applying a 
substitution, to guarantee its application to the argument acts as a ‘real’ substitution. 

The following property is well-known, and formulates that unify returns the most 
general unifier for two Curry types, if it exists. 
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Property 35. ([33]) For all a,r G Tc, substitutions Si,S 2 '- if 5 i((t) = S 2 {t), then 
there are substitutions Su and S' such that = unify{a, t), and Si (cr) = S'oS„(ct) = 
S'oS„(r) = S 2 (r). 

The unification algorithm unijy^ as defined below gets, typically, called during the 
computation of the principal pair for an application Ap (t i , 1 2 ) ■ Suppose the algorithm has 
derived Pi h| ti :tti and P 2 \-g t 2 '.n 2 as principal derivations for ti and t 2 , respectively, 
and that tti = a^r. Thus the demanded type cr is in 7; and the provided type 7T2 is in ?2 • 
In order to be consistent, the result of the unification of a and 7T2 - a chain Ch - should 
always be such that Cfi(7r2) S 7/. However, if 7T2 ^ 7c, then in general C/j(7T2) ^ T]. 
To overcome this dilficulty an algorithm toTc "^'11 t)e inserted that, when applied to the 
type p, returns a chain of operations that removes, ifpossible, intersections in p. Note that 
ifquantifiers appear in p, toTc{p) should fail, since quantifiers that appear before an arrow 
cannot be removed by any of the operations on types. Finally, unify^^a, S 2 (7t2) , S 2 (P 2 )) 
is called (with S 2 = to7c(^2))- The basis 52 (^ 2 ) is needed to calculate the expansion 
of S 2 (7T2) in case a is an intersection type. 

Definition 36. 1. The function toTc ■ 72 <S is defined by: 

toTc(<r) = [Ids], if cr G Ti) 

to7c((crin- • ■Dan)^p) = S'oSn, otherwise, 
where Si = Mm7y(Si_i (cti), S*_i (cri+i))oSi_i, (1 < i < n-1, with So = Ids), 
and S' = toTc{Sn{p)) ■ 

2. Let B be the set of all bases, and Ch the set of all chains. The function 
unijy2 '7c x 7c x H — >■ Cfi is defined by: 

unify 2 {a',T, B) = unify {a, t), if a G 7c 

n . . . n (y^.an),T,B) = [£■, S„], otherwise 
where E = tiFi- • -riTn = E{t), and Si = unify{Si-i{cti),Ti)oSi-i (with 

So = Ids), provided Si_i does not introduce as when applied to (Ji , for 1 < i < n. 

Notice that unify, toTc, ^ii return lifting-free R2 -chains. Moreover, both 

unify and toTc retum a substitution, and the R2-chain returned by unify 2 {cr, t) acts on 
cr as a substitution: the expansion in the chain is defined for the sake of r only. Notice 
also that unify^ does not really return a unifying chain for its first two arguments; to 
achieve this, also closures would have to be inserted. They are not needed for the present 
purpose. 

The procedure unify^ fails when unify fails, and toTc fails when either unify fails 
or when the argument contains V. Because of this relation between unify^ and toTc 
one side, and unify on the other, the procedures defined here are terminating and type 
assignment in the system defined in this section is decidable. 

Lemma 37. Let Ch be an R2-chain. 

1. If fj G 75 , and Ch{a) = r G 7c. then there is a S' such that S'otoTc(a) (a) = r. 

2. If a G 75 , and Ch{a) = t G 7i, then [toTc{a)\ * Ch (a) = t, for some R2-chain 
Ch'. 



Proof Easy, using Property 35, and Lemma 31.3-4. 
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4.3 Principal Pairs for Terms 

In this subsection, the principal pair for a term t with respect to the environment S - 
PPs (t) - is defined, consisting of basis P and type tt. In Theorem 40 it will be shown 
that, for every term, this is indeed the principal one. 

Notice that, in the definition below, if pps (t) = {P, tt), then tt G Ti- For example, 
the principal pair for the term Xx.x is (0, so, in particular, it is not (0, Va.o;— J-a). 

Although one could argue that the latter type is more ‘principal’ in the sense that it 
expresses the generic character the principal type is supposed to have, we have chosen 
to use the former instead. This is mainly for technical reasons: because unification is 
used in the definition below, using the latter type, we would often be forced to remove 
the external quantifiers. Both types can be seen as ‘principal’ though, since Ma.a^a 
can be obtained from by closure, and from Ma.a-^a by lifting. 

Definition 38. Let t be a term in T{T,X). Using unify^, pps (t) is defined by: 

1 . t = x.Thenpp£{x) = {{x:ip},(p). 

2. t = Xx.t'. Let pp£ {t') = {P, tt), then: 

a) If X occurs free in t' , and x:a G P, then ppg {Xx.t') = {P\x, a—^Tr). 

b) Otherwise, let (p be a fresh variable, and pps {Xx.t') = {P, p^tt). 

3. f = Ap (f 1 ,^ 2 ) -Let = {Pi,TTi),pps{t 2 ) = {P 2 ,tt 2 ) (choose, if necessary, 

trivial variants such that these pairs are disjoint), and S 2 = toTc{TT 2 ), then 

7Ti G 7^ : pps{Ap{ti,t2)) = {P,tt), where P = Si{n{Pi,S2{P2)}), 

TT = Si{p), Si = unify{TTi, S 2 {tt 2 )^p), and p is a fresh variable. 

TTi ^ Tc • Assume tti = cr— >- t. Then pp£ {Ap{t\,t 2 )) = {P, tt), provided P and 
TT contain no unbound occurrences of as, where F = 5 ( 77 { Pi , £(^2 ( 72 ) ) } ) , 
TT = S{t), and [E,S] = unify 2 {a,S 2 {TT 2 ),S 2 {P 2 ))- 

4. t = F{ti, . . . ,tn). Let, for every 1 < 7 < n,pp£{ti) = {Pi, tti) (assume that the 
{Pi, TTi) are pairwise disjoint), then pp£ {F{t\, . . . , t„)) = (P, tt), provided P and 
TT contain no unbound occurrences of as, where 

P = 5”o. . -oS\n{Ei{Si{Pi)), . . . ,£„(S„(P„))}), 

TT = S"o- ■ -oS^ ( 7 ), 

7 i— ^ 7«— >-7 is a fresh instance of£(P), and 

for every 1 < 7 < n, Si = toTc{TTi), and 

[£, ,S'] = unify\ {S'-^o- ■ ■oS\yi),S,{^,),S,{P,)). 

Since unify or unify^ may fail, not every term has a principal pair. 

Notice that closures are not needed when calculating the new basis and type. 

The treatment of P(7i, . . . , 7„) in Definition 38 is in fact very much the same as a 
repeated treatment of Ap{t\,t 2 ). This can be understood by observing that the terms 
F{ti, ...,t„) and Ap{- ■ ■Ap{Xxr ■ •x„.P(xi, . . .,x„),ti)- ■ -,f„) 
should be treated in the same way. 

The following lemma is needed in the proof of Theorem 40.2. It states that if a chain 
maps the principal pairs of terms 7i, ^2 in an application Ap{ti,t 2 ) to pairs that allow the 
application itself to be typed, then these pairs can also be obtained by first performing a 
unification. 
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Lemma 39. Let a G T 2 , and for i = 1,2, pp£ (ti) = {Pi, iti), such that these pairs are 
disjoint. Let Chi, C/t 2 be R2-chains such that Chi (j>p£ (fi)) = {B, a^r), and 
C/t 2 (j>P£ (^ 2 )) = {B, cr). Then there are R2-chains Ch^ and Chp, and type p G P 2 
such that 

pp£{Ap{ti,t 2 )) = Chu{{n{Pi,P 2 },p)), and 

Chp{pp£{Ap{ti,t2))) = {II{Bi,B2},t). 

Proof. Using Property 35 and Lemmas 31 and 37. ■ 

A similar result holds for terms of the shape F{ti, . . . ,tn). 

The main result of this section then becomes: 

Theorem 40. 1. Soundness of pp£. Ifpp£ (t) = {P, tt), then P Ltt. 

2. Completeness of pp£. If B \-g t:a, then there are a basis P and type tt such that 
pp£ (t) = {P, tt), and there is an R2-chain Ch such that Ch{{P, tt)) = {B, a). 

Proof. By induction on the structure of derivations. Lemma 39 is used for {-^E). ■ 
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Abstract. We present a complete formalization of the Hahn-Banach 
theorem in the simply-typed set-theory of Isabelle/HOL, such that both 
the modeling of the underlying mathematical notions and the full pro- 
ofs are intelligible to human readers. This is achieved by means of the 
Isar environment, which provides a framework for high-level reasoning 
based on natural deduction. The final result is presented as a readable 
formal proof document, following usual presentations in mathematical 
textbooks quite closely. Our case study demonstrates that Isabelle/Isar 
is capable to support this kind of application of formal logic very well, 
while being open for an even larger scope. 



1 Introduction 

The general idea of formalizing mathematics has already a long tradition. The 
desire to capture the way of human reasoning can be traced back far into the 
past, just consider Leibniz’s calculemus manifest as a classic example. Purely 
syntactic formulation of mathematics with mechanical checking of proofs has 
finally matured during the 20th century. Roughly speaking, in its first half it has 
been demonstrated that mathematics could in principle be completely reduced 
to very basic logical principles. In the second half of the century the advent 
of computers enabled logicians to build systems for actually doing non-trivial 
applications in a fully formal setting. Over the last decades, many successful 
mechanized proof checkers and proof assistants have emerged, just consider de 
Bruijn’s pioneering AUTOMATH project [21], or major contemporary theorem 
proving environments like Coq [12], Isabelle [25], and HOL [15]. 

This line of development represents tools for actual verification, in the sense 
that a very high level of confidence in correctness of the results is achieved. There 
is a wider picture of formal tools, though, including the important markets of 
symbolic computation (Computer Algebra) and falsification aids. The latter pro- 
vide systematic ways to exhibit errors and counterexamples, rather than prove 
correctness. This is mainly the area of Model Checking, but general purpose 
theorem provers such as PVS [23] are usually positioned here as well. 

Getting back to actual verification, we observe that current tactical provers 
(e.g. Isabelle [25] or Coq [12]) are usually quite inaccessible to non-specialist 
users. This issue has been addressed in several ways, e.g. by providing graphical 
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user interfaces to help users putting together tactic scripts (e.g. [1,2]). Another 
major approach is to relate representations of formal proof objects directly with 
natural language, e.g. narrating A-terms in plain English (or even French) [13]. 
There is also a more general grammatical framework based on type theory to sup- 
port multi-lingual formal documents [17]. These efforts would ultimately result 
in a complete mathematical vernacular based on natural language (e.g. [9]). 

Mizar [26,29,19,35] has pioneered a rather different approach, by providing a 
higher-level proof language as its input format in the first place — avoiding the 
kind of machine-oriented transformations of tactical proving, which have so little 
in common with expressing mathematical ideas. While Mizar proved very succes- 
sful for doing mainstream mathematics [18], it also has some fundamental limi- 
tations. The Mizar environment — the theory and proof language, together with 
its notion of “obvious inferences” — has been particularly tailored for applicati- 
ons within a first-order formulation of typed set-theory (Tarski-Grothendieck) . 
It is unclear how to to change the logical basis, or even just basic proof tools. 
Learning how to use Mizar is difficult, because of its batch-mode nature and se- 
veral complications due to first-order logic. Also note that Mizar does not claim 
the same level of formal correctness, as established by major proof checkers, such 
as Coq or Isabelle. It could be still possible to give fully formal foundations for 
Mizar in principle. 

DECLARE [27,28] is another more recent development of combining Mizar 
concepts and tactical proving into a “declarative” theorem proving system, suited 
for non-trivial meta-theoretical studies such as operational semantics. 

Our present work employs the Isabelle/Isar system [32] as an environment for 
computer-assisted formal mathematics. Isar (which stands for Intelligible semi- 
automated reasoning) offers a generic approach to high-level natural deduction 
[31]. From the user’s point of view, formal proof documents are the most funda- 
mental concept of Isar. Following the basic structure of mathematical textbooks, 
iterating definition — theorem — proof, the actual text is written in a formal 
language with semantics firmly based on logic. 

Isar provides a fresh start of the general idea of Mizar, while avoiding its 
shortcomings. The Isar framework is based on a few basic logical principles only, 
with the actual object-logic being left open as a parameter. Thus we gain logical 
flexibility, while also supporting the case of fully formal machine-checked proof 
with high confidence in the results as actual theorems. The basic mechanism 
of Isar proof checking does not depend on automated reasoning, nevertheless 
existing proof tools may be plugged in easily. 

Interactive proof development, with incremental interpretation of Isar proof 
text, is considered an important issue. The Isabelle/Isar implementation [32] 
supports a simple model of live document editing that requires very basic user 
interface support only. Together with the existing Proof General interface [1], 
we already obtain a reasonable working environment for actual applications. 

We have chosen the Hahn-Banach Theorem [16,20] as a realistic case study 
of computer-assisted mathematics performed in Isabelle/Isar. The theorem has 
been completely formalized (in two versions), together with any required noti- 
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ons of functional analysis, using Isabelle/HOL set-theory as logical basis [6,5]. 
This particular example shall serve as a basis for a general assessment of the 
requirements of large-scale formalized mathematics. 

Why does intelligible reasoning matter anyway? It is certainly fun to see 
computer-assisted mathematics actually work in non-trivial applications, and 
show the results to other people. Further, being able to communicate machine- 
checkable formal concepts adequately has an important cultural value [3], influ- 
encing the way that formal logic is perceived as an issue of practical relevance 
in general. The particular case of formal proof in education has been addressed 
many times before (e.g. [8]). We even raise the general philosophical principle 
that any important (or even critical) piece of formal code (proofs or programs) 
should be in itself open for human understanding. Informal explanations (e.g. 
comments) and mechanic analysis (e.g. independent proof checking) play an im- 
portant role, but also have their limitations (e.g. comments could be misleading 
or even inconsistent with the formal code). Having an adequate language of for- 
mal discourse available, we are enabled to communicate our reasoning directly in 
a format that may be machine-checked later. Thus we achieve a “second source” 
for correctness: inspecting the formal source we (hopefully) get convinced of its 
plausibility, while knowing that it has passed a trusted proof checker as well. 

The rest of this paper is structured as follows. Section 2 explains basic issues 
of formal proof in Isabelle/Isar by giving some examples. Section 3 briefly reviews 
central aspects of Isar as a working environment for formalized mathematics. 
Section 4 discusses a fully formal treatment of the Hahn-Banach Theorem as a 
realistic example of mainstream mathematics in Isabelle/Isar. 

2 Basic Examples 

In order to get a first idea how computer-assisted mathematics may look like 
in Isabelle/Isar, we consider basic group theory as a small “practical” example. 
We introduce the abstract structure of general groups over some carrier type 
a, together with product _ • _ and inverse operations, unit element 1, and 
axioms stating associativity, and the left inverse and unit properties. As usual, 
the right inverse and unit laws may be derived as theorems of group theory. 

Below, we start a new theory context Group derived from the plain HOL 
basis. Then we introduce constant declarations with Isabelle-style mixflx annot- 
ations for concrete syntax. The structure of general groups over some carrier 
type is defined by employing Isabelle’s Axiomatic Type Classes [30,34], which 
provide a useful mechanism for abstract algebraic concepts. Finally we establish 
the two basic consequences of the group axioms as formally proven theorems. 



theory Group = HOL: 




consts 






prod : 


: " ’a — >■ ’a — >■ ’a" 


(inAxl 70) 


inv 


. Ifjg Jglf 


[1000] 999) 


unit : 


; "’a" 


("1") 



axclass group < "term 
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assoc : " (x ■ y) ■ z = x ■ (y ■ z) " 

leftAnv: "x~^ ■ x = 1" 

left-unit : "1 ■ x = x" 

theorem right_inv: "x ■ x~^ = (1 : : ’a: :group) " (proof) 

theorem right^unit: "x ■ 1 = (x: : ’a: : group) " 
proof - 

have "x ■ 1 = X ■ (x~^ ■ x)" by (simp only: left-inv) 
also have "... = (x ■ x~^ ) ■ x" by (simp only: assoc) 
also have "... = 1 ■ x" by (simp only: right_inv) 
also have "... = x" by (simp only: left^unit) 
finally show ?thesis . 
qed 

end 

This text directly represents the input format of Isabelle/Isar, apart from some 
simple pretty printing applied in the presentation. Using the Proof General in- 
terface [1] one may even achieve a similar display on screen. Our definition of 
abstract groups uses axclass (see [34] for more details) . Both of the proofs above 
are conducted by calculational reasoning, the first one has been suppressed in 
the presentation, though. 

As is typical for forward-reasoning, the initial proof step does not apply any 
reduction yet, which is indicated by “proof -” . The proof body establishes the 
main thesis by a sequence of intermediate results (have proven via a single step 
of by each^) that are composed by transitivity. The “. . . ” notation refers to 
the most recent right-hand side expression. The also element causes the current 
calculation to be combined with the latest fact. So does finally, but it also 
concludes the calculation by offering the final result to the next statement. 

Isar calculations are more general than shown here. Calculational elements 
may be even combined with plain natural deduction (e.g. [33, §6]), without 
having to subscribe to a fully calculational view of logic in general [14]. 

In the next example we review slightly more involved logical reasoning: Smul- 
lyan’s Drinkers’ principle (e.g. [3]) is a puzzle of pure classical logic. It states 
that there is some individual such that whenever he is getting drunk, everybody 
else does so as well (“drunk” may be replaced by any predicate). 

Theorem (Drinkers’ Principle). 3x. Q x ^ (Vy. Q y) 

Proof. We show Q x ^ (Vy. Q y) for some x by case analysis. Assume Vy. Q y, 
then any individual makes the implication true. Assume -i (Vy. Q y), then there 
is an y such that Q y holds, which makes the implication true as well. 

This narration of usual informal mathematics style is turned into a formal 
Isabelle/Isar text as follows, while retaining the overall structure of reasoning. 

Isabelle’s simplifier is used here to normalize with a single equation only. 



1 
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theorem Drinkers ’ ^Principle : " 3 x. Q x ^ 6V7. Q y) " 
proof cases 

assume "Vy. Q y" 

fix arty have "Q any — >■ CVy. Q y) " .. 
thus ?thesis .. 
next 

assume "-iCVy. Q y)" 
then obtain y where "-1 Q y" (proof) 
hence "Q y — > fVy. Q y)" .. 
thus ?thesis .. 
qed 

Isar certainly does require some understanding of the language semantics [31, 
32] in order to appreciate the formal reasoning in detail. Subsequently, we shall 
point out the most important aspects of this proof. 

The outermost “proof cases” step refers to the propositional case-split rule 
(A C) (-■ A C) C, thus the body gets divided into two branches, 
which are separated by next. The rule admits to introduce an additional local 
hypotheses using assume in each case. In order to establish the main thesis, an 
existential statement, we prove the goal for some suitable witness. In the first 
case, fix augments the context by a new local variable (without any additional 
assumptions), and have states the desired implication. The double-dot proof 
means that the result is established from the current context by a single standard 
structural rule (here — >-intro). With this result, the thesis is just another single 
step away (apparently via 3-intro). 

Note that idiomatic phrases such as “thus Ithesis are quite typical for Isar. 
We have seen a similar one in the group calculation: “finally show Ithesis 
Isar avoids specialized language elements as much as possible, reducing anything 
to few principles only. The flexible way that the basic entities may be composed 
into well-formed proof texts results in a very rich language. 

The second case of our proof is similar to the first one, but the witness 
element is produced differently: the assumption -1 (Vy. Q y) classically yields 
3y. -■ Q y, so we may pick any such y when showing the main goal (by virtue of 
the 3-elim rule). The derived Isar language element obtain arranges this kind 
of formal reasoning in a way that is close to usual mathematical practice. In 
particular, the existential statement and the actual elimination step are put out 
of the main focus, highlighting the resulting context modification instead. Above 
we have even suppressed an actual proof, leaving a place holder. Completing this 
in terms of basic logical reasoning would be just an exercise on de Morgan’s Law, 
turning -1 (Vy. Q y) into 3y. -> Q y. 

Alternatively, the proof for obtain may be finished with some automated 
proof tool, say “by blast^\ which refers to Isabelle’s tableau prover. How to 
proceed in such situations is mainly a question of methodology. It is up to the 
author to determine which parts of the proof are considered relevant for the 
intended audience, while the proof language has to offer the structural flexibility. 
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3 An Environment for Intelligible Formal Mathematics 

We discuss some central aspects of the Isar proof language, which is at the heart 
of our environment for intelligible formal mathematics. Three stages are con- 
sidered: a minimal logical framework for primitive natural deduction, the Isar 
primary proof language seen as a logically redundant enrichment, and derived 
proof schemes for advanced applications. The resulting architecture fully preser- 
ves machine-checkable correctness as provided by the primitive level. 

3.1 Logical Foundations 

We closely follow Isabelle’s meta-logic [24], which is an intuitionistic V/=J>/ =- 
fragment of higher-order logic. Logical syntax is that of simply-typed A-calculus. 
Proof rules are the standard ones for minimal logic, with definitional equality 
= . Proof objects may be represented within a typed A-calculus with separate 
abstraction and application for simply-typed terms x : t and propositions a : 
Af The set H of propositions in Hereditary Harrop Form (HHF) is defined 
inductively as H = Mx. H ^ A, where x refers to the set of variables, A to 
atomic propositions, and x, H to lists. HHF formulae play a central role in 
representing both natural deduction rules and internal proof states [24,25]. Note 
that according to HHF, contexts have the canonical form F = x,H. 

Common object-logics based on natural deduction (e.g. classical HOL, ZF 
set-theory, even type theory) can be expressed within this meta-logic in a con- 
venient way [25] . Any such formalization may be directly re-used within the Isar 
framework, including theory libraries, definitional packages and proof tools [32] . 

3.2 Basic Proof Language 

The Isar core proof language provides 12 primitive elements, which are interpre- 
ted on top of the basic logical framework by referring to its primitive inferen- 
ces (mostly derived rules for back-chaining and proof-by-assumption), together 
with some additional book-keeping [31]. The Isar primitives are as follows [32, 
Appendix A]: “fix x : r” and “assume a : A” augment the context, then indi- 
cates forward chaining (e.g. to do elimination in the subsequent reduction step), 
“have a : A” and “show a : A” claim local statements (the latter includes solving 
of some pending goal afterwards), “proof to” performs an initial proof step by 
applying some method, “qed to” concludes a (sub-)proof, { } and next manage 
block structure, “note a = b” reconsiders facts, and “let p = t” abbreviates 
terms via higher-order matching against some pattern. 

In addition, there are 7 basic defined elements: “by TOi TO 2 ” for proofs with 
an empty body, “..” for single-rule proofs, “.” for immediate proofs, hence/thus 
for claims with forward chaining indicated, and “from a” /“with a” for explicit 
forward chaining from (additional) facts. 

^ Note that r is usually suppressed due to type-inference, while a is omitted internally 
in implementations following the “LCF-approach” . 
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The most essential ingredient to achieve a well-balanced basis for intelligible 
proof is free choice over forward vs. backward reasoning. To see how this works 
out in Isar, we relate chunks of proof text to an enriched version of primitive 
proof objects (cf. §3.1). We define backward (>) and forward (<) application 
operators for lists of A-terms such that sl>t<iTi = t s u. Now let TZhe a, natural 
deduction rule a : A ^ b : B ^ C, where the premises are separated into two 
lists a : A and b : B (for clarity we suppress any contexts of the premises). 

The body of Isar (sub)-proofs consists of a sequence of context elements or 
proven statements. These may be put into the following standard form: 

(context) from a show C proof (rule TZ) (body) qed 

where (body) is recursively of the same structure. This is a correct piece of 
reasoning, if (body) proves “show i?j” for each Bi in B, such that a l> 7^ <1 'x(B) 
establishes C, for some permutation tt. 

The impact on the overall structure of Isar proofs is as follows. The sub- 
problems stemming from rule TZ are split into parts d and tt(B), where the a : A 
have been established beforehand and b : B are deferred to sub-proofs at a deeper 
level. It is important to note that the two sections are not handled symmetrically: 
d refers to facts from the context by symbolic names and in a fixed order, while 
in the body sub-problems are stated as explicit propositions in an arbitrary order 
7r(i3). This enables readable proofs, since the A statements can be easily spotted 
verbatim in the preceding context, while the members of B appear in the body 
below, in an appropriate order to handle the more interesting ones first. Note that 
the fixed order of the d specification still admits the corresponding statements to 
appear anywhere in the context. On the other hand, this policy improves clarity 
and robustness of proof checking, since it makes it easy to determine rule TZ 
automatically from the structure of A and C (for elimination or introduction, 
respectively) without any serious search. Consequently, Isar proofs seldom name 
TZ explicitly, but usually decompose according to implicit standard rules. 



3.3 Derived Proof Schemes 

Large case studies such as the Hahn-Banach Theorem show that realistic ma- 
thematical applications demand additional proof support, apart from the pure 
natural deduction provided so far (cf. §3.2). On the other hand, the basic Isar 
proof language turns out to be sufficiently expressive to admit advanced schemes 
as further derived elements. Subsequently, we discuss a flexible form of calcula- 
tional proof, and generalized reasoning with eliminated existence. 



Calculational Proof, can be understood as iterated reasoning with transitivity 
rules, such that the final result emerges from folding a sequence of facts together. 
This may involve any suitable “binary” rule, like s = t^t = u^s = u, the 
same for < and <, including any combination of these. Substitution s = t ^ 
P s ^ P t works as well, then composition means to replace equal sub-terms. 
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Isar calculations work incrementally, maintaining a secondary result called 
calculation by composition with the primary one this, which always refers to the 
latest fact. We now just define two new language elements, also and finally. 

alsog = note calculation = this 
also„+i = note calculation = trans [OF calculation this] 
finally = also from calculation 

Here alsop refers to the first, and also„_|_i to further occurrences of also within a 
calculational sequence, at the same level of blocks. The OF operation combines 
logical rules using higher-order resolution (back-chaining). For atomic proposi- 
tions, OF indeed coincides with application in A-calculus. The trans rule above 
is determined by higher-order unification from a set of transitivities declared 
in the theory library. These rules usually include plain transitivity of =/</<, 
and substitution of =, or even </< with monotonicity conditions extracted in 
the expected way. Determining rules implicitly by higher-order unification works 
very well in practice, without any serious search required. 

Another version of calculational elements are moreover and ultimately, 
which are even more simple since they only collect facts without applying any 
rules yet. This is quite useful to accumulate a number of intermediate results 
that contribute to some ultimate result. Thus the proof text is often easier to 
read as we avoid explicit naming of intermediate facts. 

moreover = note calculation = calculation this 
ultimately = moreover from calculation 

One may also use also and moreover together within the same calculation, say 
if using rules that require more than two facts to yield the intended result. 



Eliminated Existence Reasoning, means that additional variables with cer- 
tain hypotheses are introduced, as justified by a corresponding soundness proof. 
Consider the special case of eliminating Bx. H[x], where an additional x with 
assumption H[x] may be obtained. The derived Isar element obtain is defined 
as follows (optional {facts) may be have been indicated for forward chaining). 

(facts) obtain x where H[x] (proof) = 

{ 

fix C 

assume Vx. F[[x] ^ C 
from (facts) have C (proof) 

} _ ^ 
fix X assume* H[x] 

After having finished the soundness proof, the assumptions H[x] are introduced 
with an internal hint of being obtained. This tells the Isar interpreter how to 
discharge this context element later, whenever a result is exported from its scope. 
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According to the nature of existential reasoning, parameters x may never occur 
in a final conclusion, only in intermediate results within the same context. 

The obtain scheme has many virtues in reducing the complexity of formal 
proof texts. For example, duplicate occurrences of x and H in the text are 
avoided. Furthermore, the soundness proof of obtain is usually straightforward 
by using existing facts together with basic automated tools (e.g. rewriting). 
Speaking in terms of first-order logic, the proof would basically correspond to 
iterated introduction of 3 and A, but obtain in Isar does not even mention any 
particular 3 or A connective of the object-logic. This way we gain both flexibility 
and avoid cumbersome automated reasoning with existential quantifiers. 

Between the two extremes of basic assume and obtain there are further 
derived context elements in Isar: “def x = f” is like “fix x assume x = t” 
where the equation is discharged by generalization and reflexivity later, while 
presume is just like assume, but leaves the assumption as a new subgoal. 



3.4 Addressing Correctness 

In order to see how Isar fares in the quest of correctness [3] , recall its basic arran- 
gement of formal concepts: there are two main levels, the primitive logical core 
and the primary Isar proof language; these are related by an interpretation func- 
tion, providing an operational semantics of Isar proof texts in terms of primitive 
inferences [31]. First of all, suppose we believe in the basic logical framework 
(see §3.1), and know how to implement it at the highest conceivable level of cor- 
rectness (cf. the discussion in [3,4]). Furthermore, we may formulate correctness 
(or even completeness) results of Isar proofs related to primitive ones by virtue 
of the operational semantics. While this would tell us that the Isar machine 
operates adequately, without producing nonsense or failing unexpectedly, it is 
not the primary means to achieve ultimate machine-checked correctness: both 
the Isar interpreter program and its correctness proof are sufficiently complex 
to lower the resulting level of confidence at least by an order of magnitude. 

Fortunately we can do better, even with informal proof sketches of the Isar 
machine correctness result and an unverified implementation only. The key pro- 
perty of the Isar interpretation process is that actual “theorems” can be treated 
as non-observable objects that are manipulated abstractly, without ever depen- 
ding on the actual structure of internal proofs or propositions. Thus the original 
notion of correctness of the primitive level is passed undisturbed to the primary 
one of Isar proof text processing. 



4 The Hahn-Banach Theorem 

The Hahn-Banach Theorem is probably the most fundamental result in fun- 
ctional analysis (e.g. [20]). We will consider an informal proof in a standard 
mathematical textbook [16, §36] where two different versions of the theorem are 
presented, one for general linear spaces, and one for normed vector spaces. 
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We show how the underlying mathematical notions can be expressed in a 
very natural way, employing the simply-typed set theory of HOL [11,15]. We 
also present a proof in Isabelle/Isar, which closely follows the original one [16]. 



4.1 Structure of the Proof 

Theorem (Hahn-Banach). Let F be a subspace of a real vector space F, let 
p be a semi-norm on E, and / be a linear form defined on F such that / is 
bounded by p, i.e. Wx G F. f x < p x. Then / can be extended to a linear form 
h on E such that h is norm-preserving, i.e. h is also bounded by p on E. 

Proof Sketch. 

1. Define M as the set of norm-preserving extensions of / to subspaces of E. 
The linear forms in M are ordered by domain extension. 

2. We show that every non-empty chain in M has an upper bound in M . 

3. With Zorn’s Lemma we conclude that there is a maximal function g in M . 

4. The domain H oi g is the whole space E, as shown by classical contradiction: 

— Assuming g is not defined on whole E, it can still be extended in a 
norm-preserving way to a super-space El' oi El . 

— Thus g can not be maximal. Contradiction! 

From this we also get a version of the Hahn-Banach theorem for normed 
spaces [16, §36]. The complete formal proof of this corollary is given in [6,5]. 



4.2 Formalization in HOL Set Theory 

We formalize basic notions of functional analysis in HOL set-theory: vector spa- 
ces, subspaces, and an order of functions by domain extension. Further notions 
such as normed vector spaces, continuous linear forms and norms of functions 
are required for the version for normed vector spaces only, see [6,5]. 

Note that our development does not require any topological notions. The 
interpretation of bounded linear forms as being “continuous” is left informal. In 
fact, this treatment follows the usual practice in functional analysis [16]. 



Vector Spaces. There are several ways of defining abstract mathematical struc- 
tures such as vector spaces in HOL. One is to define axiomatic type classes (cf. 
the group example in §2). Another general principle is to define structures as 
predicates over a carrier set together with operations. We apply a particular 
instance of this principle where we use polymorphic operations -I-, — and 0 on a 
generic type a. Further, we introduce an operation • :: IR — >■ a — >■ a and define 

is-vectorspace :: a set — >■ bool 

is-vectorspace V = V ^ {} A (Vx GV.i/yG V. Vz G V. Vo b. 

x + yGV A a-xGV A {x + y) + z = x + {y + z) A ...) 
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Alternatively, we could have defined a class of records with components for 
the carrier set and corresponding operations. While this closely reflects com- 
mon treatment of mathematical structures in theory, it deviates from the usual 
practice, since we would have to refer to explicit record selector and update 
operations all the time. Our present approach has the advantage of mimicking 
informal mathematical usage, by identifying a structure with its carrier. 



Subspaces. The way that vector spaces have been modeled above enables sub- 
spaces to be described succinctly: just use HOL’s C relation on the carriers and 
express closure wrt. vector space operations as usual [6]. Furthermore, the main 
proof will construct chains of vector spaces, with the supremum simply as IJ. 

Observing these abstract virtues, we shall also validate our notion of subspa- 
ces in concrete instances. For example, using type IN — >■ R for a we would first 
define -I-, — , •, 0 point-wise on the whole domain. Then any n-dimensional space 
R" would correspond to {/. Vi > n. fi = 0}. Apparently, any such carrier set 
is closed under vector operations — it does not matter that these are defined 
on the whole type. Common infinitary vector spaces can be defined as well: 
becomes {/. 3c. Vi. \fi\ < c}, and F becomes {/. 3c. Vfc. J2i<k l/*l^ < c}. Using 
R — >■ R for a we could even define the very rich class of spaces, provided we 
also have a sufficient base of real analysis and measure theory in HOT. 



Partial functions ordered by domain extension. Expressing partial fun- 
ctions in an inherently total setting like HOL requires some care. A standard 
technique that always works is to consider the graph of a function. This turns 
out to be perfectly adequate for our application. We define graphs as follows: 

a graph = (a x R) set 

graph :: a set — >■ (a — >■ R) — >■ a graph 

graph F f = {{x,f x). x G F} 

When speaking informally we never distinguish a function from its graph. 
With the above definition we can now introduce the order on functions by ex- 
tension very easily: h is an extension of / iff graph F f Q graph FI h. 

For the proof of the Hahn-Banach theorem we need the set of all norm- 
preserving extensions of a linear form / defined on a vector space F. This can 
be expressed in HOL in a very natural way. It is the set of all graphs of linear 
extensions of /, to super-spaces H of F, that are bounded by the semi-norm p: 

norm-pres- extensions :: a set — >■ (a — >■ R) — >■ a set — >■ (a — >■ R) — >■ a graph 
set 

norm-pres- extensions E p F f = {graph F[ h. is-linearform FI h 
A is-subspace FI E A is-subspace F F[ 

A graph F f C graph FI h A (Vx G H . h x < p x)} 

The canonical order by inclusion on this set of graphs corresponds to the 
order of functions by domain extension. 
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Zorn’s Lemma. We follow the informal proof of the Hahn-Banach Theorem 
[16] in using Zorn’s Lemma, which can be actually proved in Isabelle/HOL using 
Hilbert’s £ choice operator. The following formulation will be used: “Let M be 
a non-empty ordered set; if any non-empty chain c in M has an upper bound in 
M, then M has a maximal element, i.e. 3g G M. \/x G M. g < x ^ g = x.” 

4.3 The Main Proof in Isabelle/Isar 

We present an abstracted version of the actual formal proof in Isabelle/Isar 
[6]. The structure of the text follows that of the sketch given in §4.1. Readers 
familiar with the Isar semantics should be able to follow the reasoning mostly 
from the formal text only. We have augmented the text by comments giving the 
corresponding informal reading of each significant step as well. 

theory HahnBanach = HahnBanachLenmas : 
theorem HahnBanach: 

" is_vectorspace E ==> is_subspace F E ==> is_seminorm E p ==> 
is_linearlorm F f ==> VxGF. f x <= p x ==> 

312. is_linearform Eh A fVxGF. h x = f x) 

A (V X G E. h X <= p x)" 

— Let be a vector space, F a subspace of if , p a seminorm on E, 

— and / a linear form on F such that / is bounded by p, 

— then / can be extended to a linear form h on if in a norm-preserving way. 

proof - 

assume "is_vectorspace E" "is_subspace F E" "is_seminorm E p" 
and "is_linearform F f" "VxGF. f x <= p x" 

— Assume the context of the theorem. 

def M == "norm_pres_extensions E p F f" 

— Define M as the set of all norm- preserving extensions of F. 

{ 

fix c assume "cG chain M" "3x. x G c" 
have "IJ c € M" (proof) 

— Show that every non-empty chain c of M has an upper bound in M: 

— IJ c is greater than any element of the chain c, so it suffices to show [J c € M. 

} 

hence "3gGM. V x G M. g C x — > g = x" (proof) 

— With Zorn’s Lemma we can conclude that there is a maximal element in M. 
thus ?thesis 

proof 

fix g assume "gGM" "VxGM. g C x — > g = x" 

— We consider such a maximal element gGM. 

obtain H h where "graph H h = g" "is_linearform H h" 

"is_subspace H E" "is_subspace F H" "graph F f C graph H h" 

"\fxGH. h X <= p x" (proof) 
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— p is a norm-preserving extension of /, in other words: 

— g is the graph of some linear form h defined on a subspace H of E, 

— and h is an extension of / that is again bounded by p. 

have "H = E" 

— We show that h is defined on whole E by classical contradiction. 

proof (rule classical) 
assume "H E" 

— Assume h is not defined on whole E. Then show that h can be extended 

— in a norm- preserving way to a function h' with the graph g' . 

have "dg-'GM. g C g’ A g / g’ " 

proof - 

obtain x’ where ”x’ G E" "x’ ^ H" (proof) 

— Pick x' GE\H. 

def H’ == "H + lin x’" 

— Define H' as the direct sum of H and the linear closure of x' . 

obtain xi where "\/yGH. - p (y + x’) - h y <= xi 
A xi <= p (y + x’) - h y" (proof) 

— Pick a real number ^ that fulfills certain inequations; this will 
— be used to establish that h' is a norm-preserving extension of h. 

def b’ == "Ax. let (y,a) = SOME (y,a). x = y + a ■ x’ A yGH 
in h y + a * xi" 

— Define the extension h' of h to H' using 

show ?thesis 
proof 

show "g C graph H’ h’ A g ^ graph H’ h’" (proof) 

— Show that h' is an extension of h . . . 

show "graph H’ h’ GM" (proof) 

— and h' is norm-preserving. 

qed 

qed 

hence "-i fVxGM. g C x — > g = x)" by simp 
— So the graph g of h cannot be maximal. Contradiction! 

thus "H = E" by contradiction 
qed 

thus "3h. is_linearform E h A fVxGF. h x = f x) 

A (\f X G E. h X <= p x) " (proof) 

qed 

qed 

end 

For the above presentation we have pruned the actual Isabelle/Isar proof [6] at 
the outermost level, in order to focus on the main course of reasoning. Nevert- 
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heless, the resulting text still qualifies as well-formed Isar proof, provided that 
any omitted (proof) does. Note that Isar enjoys compositional proof checking. 

The overall structure of the complete Isar proof of this representative exam- 
ple is as follows. The topmost proof outline (of a few pages) refers to a number of 
special lemmas via some “glue code” , which is expressed using automated proof 
tools (e.g. the simplifier). The proofs of the lemmas typically require considerably 
more effort, mainly due to gory details usually skipped in informal presentations, 
such as [16]. Furthermore, any particular application usually requires some addi- 
tional background theory of basic notions. The subsequent numbers give a rough 
comparison of three Hahn-Banach proofs, where Heuser’s is with pen-and-paper. 





basic notions 


special lemmas 


main proof 


Heuser [16] 


? 


- 


3 pages 


Mizar [22] 


7 


25 pages 


8 pages 


Isar [6] 


35 pages 


16 pages 


5 pages 



While the Mizar proof differs from ours in many details, both have a similar 
level of abstraction. Also note that the Mizar version refers to a large library of 
formalized mathematics that is hard to pin down exactly. 

The complete Hahn-Banach development [6] as distributed with Isabelle99-1 
takes 63 pages in total. It includes some additional explanations and an alterna- 
tive version of the main theorem. The performance of Isabelle/Isar in processing 
this document is quite reasonable: proof checking plus HTeX generation takes 
less than 3 minutes on a 300 MHz machine; real memory requirements are ab- 
out 40 MB. These figures are typical for Isabelle/HOL in general, the overhead 
for Isar proof text processing compared to primitive tactic applications is very 
small. 

5 Conclusion 

We have evaluated the Isabelle/Isar environment by the case study of the Hahn- 
Banach Theorem, as a large example of formalized mathematics. Using simply- 
typed classical HOL set-theory, we have been able to model the underlying no- 
tions of functional analysis similar to the informal presentation in the textbook 
[16]. Furthermore, the high-level Isar proof language has enabled us to provide 
a machine-checked proof, with the reasoning arranged at differently conceptual 
levels, such that the topmost outline closely resembles an informal proof sketch. 

The Hahn-Banach theorem already appears in informal mathematics in a 
multitude of formulations, and quite different approaches to its proof (cf. [20]). 
There are some machine-checked formalizations as well, notably a Mizar version 
[22] (which is based on Tarski-Grothendieck set-theory), and a formulation in 
Martin-Lof Type Theory [10] that has been checked with the Agda system. In 
contrast to the Mizar and Isar versions, which basically share the same presen- 
tation of Hahn-Banach in a classical setting of functional analysis (using Zorn’s 
Lemma), the Martin-Lof one is presented quite differently within the setting of 
point-free formal topology [10]. 
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Our case study on Hahn-Banach has shown that Isabelle/Isar is ready for 
complex mathematical applications. For future development, we aim at ex- 
tending our scope towards further areas in computer science, such as meta- 
theoretical studies of programming languages (e.g. type systems and operational 
semantics). This will probably demand further derived elements on top of the 
basic Isar proof language, such as more compact representations of local con- 
texts stemming from abstract algebraic structures or large case analysis rules. 
Furthermore, users would certainly appreciate further assistance in constructing 
Isar proof documents, such as systematic support for common proof patterns. 
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Abstract. We present a specification in Type Theory of a variant of 
a standard for smart cards’ operating systems. The specification has 
been completely formalized and a basic property concerning security of 
the card has been developed and mechanically verified using the proof 
assistant Coq. 



1 Introduction 

Programs embedded in micro-controllers constitute a significant class of applica- 
tions. In these cases the code is executed on a processor of limited resources and 
the programs are small and normally critical. They interact with an external 
agent whose computational capacity can vary according to the application in 
question. Also depending on the application the agent can be considered inof- 
fensive or a potential attacker. Implantable biomedical devices, like pacemakers, 
are examples of the first kind, whereas smart cards, like phone or purchasing 
cards, are examples of the second. The development of these devices requires 
high investment in quality assurance, since error correction is always very ex- 
pensive and, in cases, even next to unfeasible. Therefore, there arises a significant 
interest in investigating formal methods with a view to make them part of con- 
struction processes to be established as standards. 

In the case of smart cards, security constitutes the central aspect of the problem 
of correctness. This problem can be addressed at several levels: correctness of 
the hardware, security of the communication protocol and encryption algorithms, 
and correctness of the implementation of the operating system embedded in the 
card. Several works have been done in the former two domains. Some examples 
of hardware verification have been reported in [10,4]. Experiences on the formal 
treatment of communication protocols and encryption algorithms can be found 
in [2,3]. The present article reports on an experiment of specification of a smart 
card operating system. We are not aware of previous work on the application of 
formal methods to analyze this kind of systems. 

The most significant results achieved are the following: 

* {gustun , comes , nora , tato}@f ing . edu . uy 

T. Coquand et al. (Eds.): TYPES’99, LNCS 1956, pp. 77—93, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 




78 



G. Betarte et al. 



- We wrote a specification of the operating system in a language close to 
ordinary mathematical language. We call this the mathematical specification. 
It can be understood assuming either ordinary set theory or constructive type 
theory [9,5]. The specification possesses a high level of abstraction, since it 
does not contain formulations of particular algorithms or data structures but 
rather types of functions and abstract data types. 

- We wrote down a complete formalisation of the mathematical specification 
using the proof assistant Coq [1]. 

- We developed in Coq (and thus mechanically verified) the proof of a signifi- 
cant basic property of the specified operating system. 

The case considered is simple but also quite realistic. After carrying out this 
work, we believe that the approach employed can be scaled up to larger, more 
complex examples within acceptable margins of effort. A formal specification like 
the one we have produced can be used in several ways, all of which constitute 
interesting possibilities at the present state of the art of the construction of smart 
cards: 

- The specification can be tested through the development and mechanical 
verification of proofs of required properties. 

- It can be used as the foundation for the process of mechanically verifying or 
deriving actual machine code implementations. 

- It can be taken as a standard of specification of smart card operating systems. 

The rest of the article proceeds as follows: in section 2 we give a concise account 
of the state of the art of smart cards and their operating systems. In section 3 
we present the mathematical specification. In section 4 we prove that the specifi- 
cation satisfies a security property of the operating system. Finally, we conclude 
commenting on several aspects of the work carried out and discussing possible 
further work. 



2 Smart Cards 

We proceed now to give a succint informal account of smart cards and their 
operating systems. Most of this section is based upon [11], which is a reference 
manual on the state of the art in this subject. 

2.1 History 

Plastic cards became popular in the beginning of the ‘50s. Originally, the functio- 
nality of these cards was quite simple: they were mainly used as data containers. 
This capacity was enhanced by the incorporation of a magnetic band on the 
cards, which made it possible to store digital information to be retrieved by 
means of appropriate reading devices. However, this technology has a serious 
drawback: the information stored in the card can be read, written or even remo- 
ved by anyone with access to an adequate device. For this reason, magnetic cards 
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are not the best device in which to store confidential data. Extra precautions are 
needed to ensure confidentiality, e.g. the connection on-line of the system using 
magnetic cards to a host computer on which most of the critical information 
resides. This, in turn, generates a cost related to information transmission. 

A smart card is, in simple terms, a card with an embedded chip. This kind of 
cards became the ideal device to provide a high level of security based on cryp- 
tography. It is possible to store secret keys in them and to execute cryptographic 
algorithms on those keys. In addition, the possibility of reprogramming a card 
already on service to incorporate new functionalities allows to think of a range 
of applications that go far beyond what is feasible with the traditional magnetic 
cards. 

2.2 The Operating System of a Smart Card 

We shall now take a closer look at the structure and operation of smart card 
operating systems. A first point to be observed is that the process of standar- 
dization of these systems finds itself at present at its beginnings, with a number 
of coexisting international and industry standards. In the reference manual [11], 
a specific system is used as the basis for the general description of their ar- 
chitecture and functionalities, namely the system called STARCOS, which has 
been undergoing development since 1990 by the company Giesecke und Devrient 
and the German Society for Mathematics and Data Processing. Here are the 
characteristic general features: 

- The operation mode of a smart card is basically a request-answer process 
where the user is a terminal. The terminal sends a request (instruction) to 
the card, the card processes it, produces a result and sends it back to the 
terminal as the answer. So, in contrast to general purpose operating systems, 
smart cards’ ones provide neither man-machine interface nor the possibility 
of accessing external storage media. 

- The persistent data of the card is stored in so-called files implemented on 
EEPROM. The basic operations are those of selection, reading and updating 
of files. All the instructions concerned with file manipulation make reference 
to a currently selected file. 

- The file system has a tree structure with directories (called dedicated files or 
DF for short) and plain data files (called elementary files, or EF). The root 
directory is implicitly selected at the beginning of the operation of the card. 
It is called the master file, or MF for short. 

- The directories (DFs) normally represent applications, i.e. they group to- 
gether files or directories that are related to a certain use of the card. The 
set of applications with which the card is to be equipped is decided at the 
time of construction or upgrading of the card. In other words, the structure 
of directories is not to be modified by any user terminal and, therefore, there 
are no instructions for modifying that structure. 

- The directories have identifying names, which are called application iden- 
tifiers or AIDs for short. In addition, every file possesses a so-called file 
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identifier (FID). FIDs need not to be unique in the entire file system, but 
they must be so among the children files of any given directory. 

- Every elementary file has a certain structure: it may be of fixed or variable 
length, linear or cyclic or contain executable code. Each object of the file 
system has a header, which contains information about properties of the file, 
e.g. about access permission, and, in the case of elementary files, about its 
structure. Besides the header there is of course the data of the file. In the 
case of directories, this data consists just in the identification of the children 
files of the directory. In general, there are no I/O instructions that operate on 
directories, i.e. not even reading operations at that level. Therefore, actual 
I/O occurs only on elementary files. 

- In addition to the file manipulation instructions, there are, among others, 
instructions for identification, authentication, execution of cryptographic al- 
gorithms and even special instructions for the programming of smart cards 
or specific applications. The memory space in a smart card is so restricted 
that, in contrast to regular operating systems, it is usually unfeasible to im- 
plement all the instructions and (elementary) file structures. It is for this 
reason that different profiles or variants have been introduced for the most 
relevant standards for operating systems. 

- Security is implemented by means of request-answer protocols and a per- 
sonal identification number (the PIN) associated to the card. Usually, PIN 
recognition involves execution of cryptographic algorithms. Again, the PIN 
is only modifiable at masking time, as is the number of consecutive PIN ve- 
rification failures after which the card becomes blocked. If a card is blocked, 
no information can be communicated between it and the user terminal. 

- It is possible in some cards to restrict the sequences of instructions to be 
accepted. In other words, it is possible to furnish the card with a number of 
programs that can be selected and executed. One typical example is given by 
the process of authentication of a terminal. In this case, it would be desirable 
that activation of the card leads to a state where only a number capable of 
constituting a PIN is accepted by the card, which would then proceed to 
check it. The instructions to be subsequently accepted by the card depend 
in general of its intented use or, as it is called, application. Therefore, it is said 
that cards may be single- or multi-application, depending on whether they 
come with one or more of these programs. The programs are represented as 
finite automata. Each state of one of these automata specifies the instructions 
that are allowed, and may as well determine access permissions to files. 

3 The Mathematical Specification 

In this section we present the specification of a variant of a smart card operating 
system. This specification aims at clarifying what a card is as a computing device. 
The description in [11], which we use as starting point, is very general in the 
sense of admitting several interpretations (and thus, implementations) of the 
concepts introduced. 
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For our specification we chose a variant of the profile called P, introduced in 
the operating systems standard ISO/IEC 7816-4. It is a simple but nevertheless 
realistic (i.e. actually existing) case. We have used it as a first test case that 
allows us to evaluate the feasibility of larger, more complex examples. Another 
reason to choose it is that these more complex profiles were much less well defined 
in the source reference manual [11]. In summary, we consider: 

- Elementary files of fixed length. More precisely, each elementary file is a 
sequence of bytes of a fixed length, which depends on the file in question. 

- The instructions READ, UPDATE, SELECT using AID, SELECT CHILD and 
VERIFY. The first two of these are not worth more explanations at this point. 
The third one allows to select a directory giving its AID. The fourth is for 
selecting a child of the current file, which must then be a directory. In this 
case the selection is done via the (unique) FID of the child. Finally, VERIFY 
comes with a purported PIN, which is to be checked against the card’s real 
one. We have not considered encryption of the PIN, since it does not intro- 
duce any interesting problems at this level of our study. 

- This specification is for cards of unique application, modelled by a state 
automaton included in the card. Furthermore, in this case the application 
has access to the data of any file of the card. Therefore, we can do without 
considering access permissions. 

A first sketch of the specification follows: 

A card comes with a number of constants. These are: 

- the structure of directories, 

- the PIN, 

- the number of consecutive PIN verification failures after which the card gets 
blocked. We shall call this the blocking number, for short. 

The card has a memory formed by: 

- the data in the files, 

- the currently selected file, 

- the counter of consecutive PIN verification failures. 

The memory is the updatable data of the card. The instructions work on the 
memory using the card constants. They affect the state of the memory and pro- 
duce responses. 

In addition, we have the automaton representing the application of the card. For 
each state of the automaton the following are defined: 

- a set of permitted instructions and 

- for each permitted instruction, a pair of successor states: one in case of 
successful execution of the instruction and the other for the case of its failed 
execution. 
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In the rest of the section we present a mathematical specification of the operating 
system. We start by discussing the language used to produce the specification. 
Section 3.2 is devoted to the constants and memory of the card. We need to 
define first what a directory structure is. Given this as a basis, we state in a 
straightforward manner what the constants and the memory are. We define a 
number of relations on states of the memory that are needed for the specification 
of the instructions. The instructions are presented in section 3.3. Their semantics 
is specified in terms of pre- and post-conditions. In section 3.4 we specify what 
a (finite) automaton is and then define what it is to execute each individual 
instruction given states of the automaton and the memory. Finally, in section 3.5, 
we present the specification of the workings of the card as a function receiving 

- a state of the automaton, 

- a state of the memory and 

- a stream of instructions or card activation messages 

and producing a stream of memories and responses resulting from the sequential 
execution of the input instructions. 



3.1 The Language Used 

Everything written below can be formalized in Constructive Type Theory 
[9,5]. In fact, we have accomplished that using the proof assistant Coq. We have 
spent some effort to make the mathematical specification immediately accessible 
to anyone used in classical set theory. This should work if only types and sets, as 
used in the text, are uniformly interpreted as sets of the classical theory. There 
remain, however, some (hopefully minor) mismatches, on which we now proceed 
to comment. 

- We sometimes use the symbol : instead of G. The distinction can be regarded 
as totally immaterial. 

- We use record types, just as in ordinary programming languages, as (labeled) 
tuple sets. The selection of a field F out of a record r will be written Fr- 

- When specifying functions or records, we do not force ourselves to give names 
to every set involved. We usually write f'.{x:A \ P{x)) — >■ {y:B \ Q{x,y)), 
which should be read: / maps elements x of set A that verify P to objects y 
of type B such that Q{x,y). 

- We allow ourselves to use subsets of a given set A either as sets or as predi- 
cates on A, according to convenience. 

- We use some predefined type (set) constructors. In general, these are un- 
problematic given that we use common notation of programming languages. 
One possible exception is that of the types of sequences (lists) . We write [A] 
for the type of lists (of arbitrary finite length) whose elements are of type A. 
If the lists are all of a given length n then we write the corresponding type 
[A]n- And, finally, if the lists are infinite (streams) we write [Ajoo- 
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- At some points we use a type called Prop of whom it is evident that must have 
propositions as objects. The classical set theoretic minded reader can take 
this as just an abuse of notation (as it were a escape into meta-language). 

A specification of the kind that we are about to examine is ultimately a set 
(type). It is satisfied (implemented) by any of its elements. In our case, the ob- 
jects to be specified (cards) have a number of components, related in certain 
ways. We shall describe this structure, giving specifications of the components 
and of the relations they must satisfy. 

We expect that no further clarification of our language will be necessary. Here 
are, however, some supplementary comments. Some of the comments are directed 
to the type theoretic minded reader. These are written in italics. 

- In type theory, a sharp distinction is made between types and objects. This 
is particularly noticeable when considering functions. Functions are not sets 
but, rather, they are programs in the very concrete sense of functional pro- 
gramming. Moreover, they are in all cases terminating, i.e. there are no 
partial functions. 

- We use one and the same symbol (the ordinary =) to denote equality of 
elements of any type. In particular in the case of functions, we mean their 
extensional equality. The extensional equalities on function types that we 
need are unproblematic to define. 

- At some points we rely on the validity of excluded middle for some proposi- 
tions. This is perfectly right since, in all such cases, the predicates involved 
can he shown to he decidable. 



3.2 Constants and Memory 

The specification to be presented aims at being as abstract as possible while 
preserving significant expectable properties of the operation of the card. We do 
this with the purpose of leaving room for a wide range of implementations and 
achieve conciseness wherever possible. We also aim at not contradicting the in- 
formal description of the original text [11], though this is difficult to establish 
beyond doubt, given the ambiguity inherent to the source. We start with the spe- 
cification of what a directory structure of a card is. This specification constitutes 
the basis on which to build that of the actual components of the card. 



Directory structures. Given a binary relation RCAxB we write i?[a] for the 
image of a G A under R. We use the same notation when the objects involved 
are subsets of A instead of elements, and also for images of such subsets along 
functions. 

Let Aid be the type of application identifiers (AIDs) and Fid that of file identifiers 
(FIDs). A directory structure (DS) consists of: 

- A set A (of (“absolute”) valid addresses of files). 
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- a partition of A into two sets DF and EF (the file types), 

- mf€DF (the root or master file), 

- an injective function AD : DF — >■ Aid (the unique AIDs of DFs), 

- a function AF : A — >■ Fid (the file names), 

- a binary relation ChCFidxDF, (the structure of directories) together with 

- a function FA : (d € DF, f'.Fid \ / Ch d) — >• A, which gives the (address of the) 
unique file with FID / that is a child of d. 

- a function len : EF — >■ N (the fixed lengths of elementary files). 

Instances of Ch will be written using infix notation. Notice that the specification 
of this relation allows for cycles and hence directory structures are not specified 
as trees. The reason for this is not any technical difficulty, but just the aim for 
abstraction and conciseness commented earlier. Also it is not required that di- 
rectories have children at all. 

def 

Given a directory structure, define Aid = AD[DF]. Then there is DA, the inverse 
of AD, defined on Aid into A. 



Constants of the card. Let PIN he the type of personal identification numbers 
(PINs, often sequences of four decimal digits). The constants of the card are: 

- ds:DS (the directory structure), 

- thePin-.PIN (the PIN of the card) and 

- maxEC'.N (the blocking number). 

Memory of the card. The memory of the card has as first component the 
data in the elementary files. The type of this data is specified as follows: 

FD (a:EF) ^ 

We define now the type of the memory of the card: 

Ai {fd:FD; set A; ec:[0..maxEC\) 

We refer in the text to the preceding components as follows: 

- fd is the (card) file data, 

- sel is (the address of) the selected file, 

- ec is the counter of consecutive PIN verification failures or the error counter. 

We define equivalences between memories that will be useful for specifying the 
instructions of the card. These equivalences are just equality of memories up to 
each of its components. More precisely, we introduce: 

- such that rn^sd 'ni' holds whenever m and m' differ at most in the 
contents of their (common) selected file. In symbols: 

m^sd m' (Va : A){{a selm A fd„(a) = fdm'{a)) 
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“ such that m^sei m' holds whenever m and m! differ at most in (the 

addresses of) their respective selected files. 

- ~ec5 such that m^ec m' holds whenever m and m' differ at most in the value 
of their respective error counters. 

We omit the formal definition of the last two relations above, given that they 
are just straightforward. Finally, we define what it is for a card to be blocked. 
This is a predicate on the memory defined simply as follows: 

Blocked(m) (ecm= niaxEC). 

3.3 Instructions 

The syntax of instructions is given by the set Ins, defined inductively by the 
following constructors: 

- selAid : Aid —>■ Ins 

- selChild : Fid — >■ Ins 

- read : (o, l:N) — >■ Ins 

- upd : (o,l:N,u:[Byte]i) — >■ Ins 

- verify : PIN — >■ Ins 

Let us give some informal explanations. The two first cases have already been 
explained. The instruction read(o, 1) reads off the subsequence of length I of the 
selected file whose starting point is reached by skipping o positions from the 
beginning of the file (o is called the offset). Then the selected file must be an 
elementary file and at least of the implicitly required length. Similarly, the in- 
struction upd(o, I, u) replaces the subsequence of the selected file positioned after 
offset o and having length I by the sequence u. 

The semantics of the instructions will be specified by pre- and post-conditions. 
For each instruction, the precondition will be a predicate on the memory and 
the postcondition a relation involving the states of the memory before and after 
execution, as well as the data extracted from the card. This data will be always 
a sequence of bytes. We define: 

data [Byte]. 

More precisely now, we will have families of propositions: 

V : (i:Ins,m:A4) — ^ Prop and 
Q : {i:Ins,m,m':A4,d:data) — ^ Prop. 

The instances of these families corresponding to an instruction i will be written 
Vi and Qi and will be respectively the pre- and postcondition of i. For any 
instruction i and memory m the proposition Vi(m) is defined by 
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Pi{m) ->Blocked(m) A Vi{m) 

where we factor out the condition that the card must be operative for any in- 
struction to be executed and let the pre-conditions particular to each instruction 
be specified by making use of the auxiliary family V which is of the same type as 
V. The following table defines the families V and Q. Corresponding explanations 
come next to the table. 



% 


Pi{m) 


Qt{m,m',d) 


selAid(az(i) 


aid g Aid 


m^seim' 

A selm/ = DA ( Old) 
A d=[ ] 


selChild(/i(i) 


fidQh selm 


m^seim' 

A selm' = fid) 

A d= [ ] 


read(o, 1) 


EF(seljn) 

A o+l<\en{selm) 


m=m' 

A d=fdm{selm)@{o,l) 


upd(o, 1, u) 


EF(seljn) 

A o+l<\en{selm) 


m^sd m' 

A fdmi^^lm) 0,1, u l^dm' {eelm') 
A d= [ ] 


verify(p) 




m^ec ITl' 

A (p = thePin D eCm' = 0 

A p yf thePin D eCm'=eCm + 1) 
A d= [ ] 



The first two entries are understood straightforwardly. It is only necessary to 
recall the definitions given when introducing directory structures. In the third 
entry we use the function @ which applies to a sequence and natural numbers o 
and n. It projects the sequence to its subsequence of length n at offset o. It is 
just a matter of routine to give a formal description of this function and hence 
we prefer to omit it. This function has as a particular case the one that selects 
the element of the given sequence at offset o, i.e. with n = 1. We shall denote 
this particular case in the same way as the general one, only that omitting the 
second parameter. 

Using the @ functions we can define the relation i — ^ used to give the postcon- 
dition of the update instructions. Let / and /' be sequences of the same length 
m. Let further o and n be such that o-|-n < m and u a sequence of length n. 
Then / o,n,u f holds whenever /' coincides with / everywhere except at the 
subsequence of length n at offset o, which must be equal to u. In symbols: 

/ f (/'@(o, n)=u) A (Vj € [0..m - l])(j<o V j>o + n)D f@j=f@j. 



Finally, the last entry of the table ensures that the error counter is set to 0 after 
each successful PIN verification and incremented otherwise. 
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3.4 Execution of Instructions 

We must now specify the execution of instructions as governed by the automaton 
representing the (single) application of the card. We start by formally introducing 
automata. 



Automata. An automaton A is determined by: 

- S (the set of states) , 

- So G S (the initial state), 

- Valid(s)CX for each s€ S (the set of allowed instructions at each state), 

- T ■ Valid{S)) — >■ {ok, fail : S ), the table of transitions. 

The table of transitions specifies two successor states. The first one corresponds 
to the case of successful execution of the instruction and the other one to that 
of its failed execution. 



One Step Execution. We now proceed to specify what the execution of an 
instruction is. This notion shall be defined as a function ^ (the interpreter) that 
given a state s, the memory m of the card and the instruction i to be executed, 
returns a new state s' and a tuple composed by the (possibly) modified memory 
and the corresponding answer. Answers, or as we shall say, responses are of the 
following type: 

7^ {rc:RC,d:data), 

where RC is a set of (return) codes. We need to introduce return codes in order 
to give answers in cases of failed execution of instructions. The set of return 
codes could be chosen in different ways. A simple alternative is just: 

def 

RC = {no file, not EF, boundary, invalid instruction, ack, nack}. 

For each instruction i, we specify a table that associates return codes to error 
conditions on the instruction. Using this table we define below a relation ErrMsg^ 
between states of the memory and return codes. This relation holds of memory 
m and return code rc whenever an error condition on i (i.e. one that negates 
the precondition Vi) holds at m and rc is a candidate return code for the case 
in question. Here is one such table: 



i 


Error Condition 


Return Code 


selAid(azd) 


aid i Aid 


no file 


selChild(/i(f) 


-■(/idChsef™) 


no file 


read(o, 1 ) 


~'EF{selm) 


not EF 


o+l>\en{selm) 


boundary 


upd(o, 1 , u) 


->EE{selm) 


not EF 


o+l>\en{selm) 


boundary 
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To define ErrMsg^ it is enough to state in addition that, for any instruction i, 
any blocked memory m is associated to the return code nack. The interpreter is 
specified now as follows: 

^ : {s€ S,m:M,i€l) — >■ {s’ € S,m’:M,r:TZ \ x{s,m,i,s’,m’,r)) 

where the predicate X describes the right relation between the state of the auto- 
mata and of the memory at activation of the instruction and the corresponding 
states and output at termination of the execution. Here it is in symbols: 

X(5,m,z,s ,r) = 

i€Valid(s)D (Pi(m)D (Qi(m, in’, dr)A rCr = ack A s’ = 

A -’Pi(m)D (m’ = m A ErrMsgi(m, rCr) 

A s’ = failr(s,i) A dr= [])) 

A Valid{s) D {m’ = m A rCr = invalid instruction A s’ = s A dr = []) 
That is: it has to be checked first whether the instruction is allowed at the current 
state of the automaton. If this is not the case (bottom line of the formula above) 
a corresponding return code is produced and the states of the memory and 
the automaton do not change. Also, no data is produced in this case. If the 
instruction is allowed, then the result depends on whether its precondition holds 
or not. If it does, then the postcondition of the instruction must hold of the 
original state of the memory and the result of the execution, i.e. the new state 
of the memory and the data produced. The code ack is returned in this case. If 
the precondition does not hold, then we have a failed execution: a corresponding 
return code must be produced and no data comes out of the card. In any case 
in which the instruction is valid for the original state of the automaton, the 
transition to the corresponding next state is effected. 



3.5 A Card’s Life 

Finally, we provide the specification of a process life, which is intended to re- 
present the potentially infinite working period of the card. The input of this 
process consists of a state s, a memory m and a stream of what we shall call 
events. An event is either an instruction or the activation of the card by the 
terminal, which we shall write reset. The output of the process is a stream of 
tuples, each consisting of a memory and a response. It should be understood as 
the (infinite) trace resulting from executing the stream of instructions on certain 
state and memory. How the process acts on the input, and therefore how this 
latter is related to the output, is described by a (coinductive) relation that shall 
be denoted by x. Let us now give the formal definitions. 

Events ‘= [Ins -I- { reset}] oo 
In (s G S; m:M; es G Events) 

Out [(m:A4; r.7Z}]oo 

Now we specify the process life by means of the following declaration: 
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life : (in:In) — >■ {out:Out \ in x out) 

The relation x, in turn, is coinductively defined as follows: 

(s, m, (reset :: ess)) x ((m', (ack, [])) :: oss) 

D {m^sei "rn' A selm' = mf A (sq, m', ess) x oss) 

(s, m, (i :: ess)) x ({m', r) :: oss) 

D ,m' ,r) A {s' ,m' ,ess) x oss) 

Here we write individual record objects directly as tuples, i.e. omitting labels. 
The first clause stands for the case of an reset event. Then an ack is produced, 
no data comes out and we enter the initial state of the automaton, i.e. Sq. Also 
the master file becomes the selected file. The second clause is for the case of an 
incoming arbitrary instruction, denoted by the variable i. The specification is in 
this case quite straightforward. 

This finishes the specification. Notice that we have not specified the initialization 
of the card, i.e. a predicate on the memory that must be satisfied when the card 
is by the first time put to work. This predicate is in our case very simple, i.e. 
we should only require the error counter to be initialized to 0. Actually, it turns 
out to be more general and convenient to proceed as we did (i.e. not restricting 
the initial state of the memory) and introducing further assumptions whenever 
this is necessary to derive properties in which we are interested. 

It now only remains to point out that the specification has been completely 
formalized using the proof assistant Coq. Comments on this latter process are 
to be found in the conclusions of the paper. 

4 A Property 

We wish to end up showing that no data can be extracted out from a blocked 
card. This is a significant basic property concerning security of the specified 
cards. Also the proofs that we are about to give have been written, and thereby 
mechanically verified, using Coq. The presentation below is rather detailed, i.e. 
much more than what is needed to convince the reader. We present the proofs in 
that manner in order to show some of the flavour of the completely formalized 
versions. 

4.1 An Invariant of One Step Execution 

The following proposition shows that any interpreter ^ satisfying the specifica- 
tion, when applied to a blocked memory, yields again a blocked memory and a 
response containing no data. 




90 



G. Betarte et al. 



We recall that the interpreter of the card has been specified in the following way: 
^ S,m:M,i€l) — >■ {s’ € S,m’:M,r:TZ \ x{s,m,i,s’,m’,r)) 

Let us write Correctinterpreter for the type of 

Lemma Consider ^ of type Correctinterpreter, m a memory such that 
Blocked(m), s a state and i an instruction. 

Then = [] and Blocked{rn’^(^s,m,z))- 

Proof. 

The function ^ is of type Correctinterpreter. Then ^{s,m,i) is a record of the form 
{so,m.o,ro) and we wish to prove dr,, = [] and Blocked(mo) ■ 

We have furthermore b •So, rrio, Co). Unfolding this we get 

iG Valid(s) D {Vi{m)D (Qi(m, mo, dr„)A rcr, = ack A So=okq-(^g ^-^) 

AHPi(m)D(mo=m AErrMsg{i,m, rcr,) /\So=iail-j-(^g ^'^ Adatar„ = [])) 
Ai0 Valid(s) D {mo=m A ro=invalid instructionASo=.s A dataro = []) 

From the former, we proceed by case analysis on i G Valid(s) (on the basis that VaJid(s) 
is decidable). 

- Assume i G Valid(s). Then we have 

'Pi{m)D {Qi{m,mo, drjA rcr„ = ack A So = ok-y-f^g i^) 

A (mo = m A ErrMsg{i,m, rcr,) A So = fail-j-(^g j^ A datar, = []) 

We proceed by case analysis on the proposition Vi{m) (which is always decidable). 

- Assume Vi{m) holds. Then unfolding the definition of Vi in Viim) yields 
-iBlocked{m) AVi{m), i.e. in particular, -• Blocked{m). Now this is absurd 
because we supposed Blocked{m). Hence, datar, = [] and Blocked(mo) trivi- 
ally. 

- Assume -<Vi(m) holds. Then we obtain directly that data^o = []. On the 
other hand, we get also m = mo and, hence, since Blocked(m), it follows 
Blocked(mo) ■ 

- Assume i ^ Valid(s). Then we again obtain directly datar, = [] and m = mo and 
find ourselves again in the latter case. 

□ 



4.2 An Invariant of the Card’s Life 

The next proposition shows that no information can be extracted out from a 
blocked card. More precisely it shows that the execution of a blocked card on 
any stream of input instructions produces a stream of outputs whose responses 
contain no data. 
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Let us rewrite the definition of x in the following equivalent way: 

{s,m,{e :: es))>i{{mo,ro)y. os) D 

e = reset D {m^sei ttIo A selma = mfA To = (ack, []) A (sq, mo, es)xos) 

A e yf reset O {jTlo — m ATo = m, i) A {s ^(s, m, i) J ^ i)j 0s)^Os) 

We start with an auxiliary definition. We say that a stream of outputs “has 
no data” if the response contained in each element of the stream is the empty 
sequence of bytes. The predicate NoData : Out — > Prop is coinductively defined 
by: 

NoD at a{{{m,r) :: s)) D dr=[] A NoData{s) 

Proposition Let in = {s,m,{e :: es)):In be such that Blocked{m) and o:Out 
such that in^o. Then NoData(o) . 

Proof. 

We have to prove that each element of the stream o has a response with no data. By 
assumption we know that inxo, therefore by definition of x the object o must be of 
the form (mo,ro):: os. The proof proceeds in two steps. 

1. We prove that = [] and Blocked(mo). We reason by case analysis on e. 

a) Assume e = reset. Then, by definition of x we know that 

- Co must be of the form (ack, []), therefore dr„ = []. 

- nio^sei m. By definition of ~sei , eCm=eCm„. Hence, from Blockedijn) we 

get Blocked(mo). 

b) Assume e 7 ^ reset. Then, by definition of x, we obtain rrio = m i) 

m, i) ' 

Now, by the lemma, we get Blocked{m’^(^g m,i)) m i) ~ 

wished to prove. 

2. It remains to show that NoData(os). We proceed by case analysis on e. 

- If e = reset (reasoning like in step la) this follows from (so, mo, es)xos and 
the fact that nio is blocked. 

- If i 7 ^ reset, (reasoning like in lb) this follows from 

(s’jfg j), m’j(g j), es)xos and the fact that „ j) = mo is blocked. 

□ 

5 Conclusions 

We have written a mathematical specification of a variant of a standard pro- 
file for smart cards. This specification was destined from the beginning to be 
completely formalized in Type Theory (using the proof assistant Coq). We have 
presented it in a way such as to make it understandable to anyone used to 
ordinary mathematical language (i.e. based upon ordinary set theory). 

The specification possesses a high level of abstraction. For instance, we have 
introduced the directory structures as an abstract data type with a restricted 
set of necessary properties and specified the instructions of the card by means of 
pre- and post-conditions instead of introducing particular algorithms (functions) 
operating on concrete data structures. 
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The code produced and verified with the assistance of Coq embodies the complete 
formalization of the operating system’s mathematical specification as well as 
the proofs of the properties described in the preceding section. The completely 
formalized versions of both the specification and the proofs were almost directly 
generated from the mathematical specification. The components that were left 
abstract in the mathematical specification appear as parameters of the Coq code. 
For the proof of the main proposition, which requires to reason over coinductively 
defined data, we made use of the tactic Cofix. We refer to [7] for a detailed 
presentation of this tactic. 

The whole code amounts to nine Coq files. It took about 20 man-hours to write 
down and check the files that constitute the specification whereas the proofs were 
carried out in no more than 4 hours. We also generated an HTML documenta- 
tion of the code, using a tool provided by the assistant. This documentation is 
available at www.fing.edu.uy/~mf/SmartCards. 

The concrete profile to be specified was chosen as an initial test case for the ap- 
plicability of type theory to the specification of smart cards’ operating systems. 
Given the resulting process and outcome, we believe that the approach can be 
scaled up to more complex variants within reasonable margins of effort. 

A formal specification like the one obtained can have several uses: 

- It can be tested by mechanically deriving and verifying proofs of required 
or expectable properties. In this work, we have given one example of this. 
Another example of such a property would be that no file operations can 
be executed until a successful PIN verification has occurred. To prove this 
of the given specification requires to provide a particular automaton that 
implements the mentioned requirement. Nevertheless, a simple modification 
could be introduced so as to impose the property in question without making 
use of an automaton, namely to require as a pre-condition for every file 
operation that the error counter be equal to 0. Other properties that can 
be proved of the present specification are those concerned with the result 
of sequences of file operations, e. g. about the result of reading operations 
carried out after updating operations. These follow quite straightforwardly 
from the specification of the instructions. 

- It can serve as the basis from where to obtain formally certified implementa- 
tions written in machine code. One way to achieve this is to verify machine 
code specifications against the original one. We think that the tools described 
in [6] can be useful in this respect. Another way would be to derive a func- 
tional prototype satisfying the specification and to use the prototype in turn 
to obtain the machine code implementation, possibly via some machinery of 
program transformations. In this sense it would be interesting to point out 
that, according to our estimations, the task of deriving a correct prototype 
can be carried out in a relative small amount of time. This would require to 
define implementations for the components that have been abstractly spe- 
cified, as well as to implement a particular automaton (i.e. application) for 
the card. 
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- It can serve for specifying standards of smart cards’ operating system. This 
is particulary relevant at the present state of the art of this field, where 
no standard has imposed itself yet. In this respect, a formal specification 
would first of all be useful to detect errors in the informal specifications. 
On the other hand, the formal specification of standards is essential for the 
introduction of formal methods in the processes of construction of the cards. 
And, finally, even if traditional methods of constructions are to continue in 
use, a formal specification would serve as a formal counterpart to evaluate 
completeness and soundness of test plans and to improve confidence in the 
code inspection steps of the operating system implementation. 

We identify as a natural continuation of this work the use of the specification 
obtained to derive and extract certified programs implementing the operating 
system, following any of the approaches referred to above. We have also star- 
ted investigating a particular class of smart cards, those known as Java Cards 
[12]. These cards admit their applications being completely written in the Java 
language [8], which incorporates a wide range of functionalities to smart card 
technology. We think that the results here reported could be a good startpoint 
to formulate a specification of this family of cards. 
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Abstract. In the context of Plastic, a proof assistant for a variant of 
Martin-L6f ’s Logical Framework LF with explicitly typed A-abstractions, 
we outline the technique used for implementing inductive types from 
their declarations. This form of inductive types gives rise to a problem 
of non-linear pattern matching; we propose this match can be ignored in 
well-typed terms, and outline a proof of this. The paper then explains 
how the inductive types are realised inside the reduction mechanisms of 
Plastic, and briefly considers optimisations for inductive types. 

Key words: type theory, inductive types, LF, implementation. 



1 Introduction 

This paper considers implementation techniques for a particular approach to 
inductive types in constructive type theory. The inductive types considered are 
those given in Chapter 9 of [15], in which Luo presents a variant of Martin-Ldf’s 
Logical Framework LF which has explicitly typed A-abstractions, and a schema 
for inductive types within this LF which is based on strictly positive operators. 
The proof assistant ‘Plastic’ implements this variant of LF with inductive types, 
together with extensions for Universes and for Coercive Subtyping [4,2] . 

The theory and implementation of inductive types is not new. Theoretical 
investigations can be found in papers such as [7,8,14]. Various forms of inductive 
types, with differing properties, have been implemented in several type theory 
proof assistants in recent years, e.g. Lego [23], Coq [5], ALF [18], and Agda [6]. 
Inductive types have also been implemented in Isabelle [21]; whilst this is not 
a type theory-based system, its approach of implementing object logics through 
a framework system is very relevant to our aims for LF/Plastic. To our know- 
ledge, the issues concerning actual implementation of inductive types in a type 
theory proof assistant, as opposed to the meta-theory, have not been considered 
significantly in the literature to date. 
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The contribution of this paper is to explain in some detail our technique for 
transforming the syntax of an inductive type declaration to new constants and 
computation rules, and then their incorporation in to the reduction mechanism 
of Plastic. The context of LF and Plastic has several differences from the imple- 
mentations mentioned above (including Lego, which implements a form of Luo’s 
schema directly in ECC); thus, some novel issues are raised. 

The inductive types implemented are weaker than those in Coq, for exam- 
ple, as they are restricted to strictly positive recursion, and are manipulated 
via elimination operators. By contrast, Coq allows more powerful forms of in- 
ductive type, and users can manipulate them by ‘case’ constructs and explicit 
recursion, subject to certain constraints which ensure termination of recursion. 
We do not attempt to justify our form of inductive types against others, or to 
undertake a comparison of the various approaches; this paper will concentrate 
on implementing a single approach. 

We also consider a problem of non-linear pattern matching which arises in 
the computation rules for parametrized inductive types. This is a problem that 
affects several other implementations of inductive types, and one that has not 
(to our knowledge) been addressed seriously in the literature. We propose that 
the non-linearity can be safely ignored since it is irrelevant in a well-typed term, 
and outline a proof of this. 

Inductive types are central to proper use of LF. LF is a framework theory: 
one should not use LF directly, but should use it to define a particular ‘object’ 
type theory and use that. For example, LF does not have a notion of Sigma 
type (i.e. dependent pair) but Sigma types can be introduced as an inductive 
type. Widespread use, especially for key parts of object type theories like Pi- and 
Sigma- types, means efficient operation is an issue in our approach. We discuss 
ways to improve performance at the end of the paper, many of which have been 
implemented and are showing good results. 

1.1 Implementation Context 

The techniques presented in this paper have been developed and implemented 
in the system Plastic. Plastic is an implementation of the type theory presented 
in Chapter 9 of the monograph [15], with extensions for inductive families, co- 
ercive subtyping, and universes. There are several motivations for implementing 
this variant of LF (henceforth LF; Martin-Lof’s LF will be named explicitly), 
including: 

— A tool for research on subtyping. Recent work on Coercive Subtyping by Luo, 
Soloviev, and Jones [16,13] analyses subtyping as a mechanism for abbrevia- 
tion that is built directly in to the (meta-level) LF. Object type theories 
specified in LF (such as UTT) then automatically inherit subtyping. Plastic 
is currently being used in case studies of coercion use, and to experiment 
with algorithms for implementing coercions [2]. 

— To use LF seriously as a framework for implementing object theories. One 
specifies a customised object type theory in LF (e.g. UTT or a subset), and 
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then uses just the type theory specified. Users of the object theory should 
not be aware of the underlying framework, and can concentrate on their 
specific problem domain. (This is a type theory counterpart of Isabelle [12], 
where object logics are implemented in terms of an underlying framework.) 

— A platform for building useful applications. We plan to use type theory 
technology to build applications for non-experts, that require little or no 
knowledge of type theory to use successfully. An example we are considering 
is a tool for verification of concurrent programs. 

— A simple type theory implementation for use with applications presenting a 
Mathematical Vernacular interface [3,17]. 

Plastic is implemented in the non-strict functional language Haskell [11], 
and is best used with Aspinall’s Proof General interface for xemacs [1]. For more 
information on Plastic, see the URL www . dur .ac.uk/ CARG/ plastic. html or the 
paper [4]. (Binaries together with a few libraries are available by ftp. Contact 
the first author for details.) 

2 LF and Inductive Types 
2.1 Basic Details of LF 

LF is a framework theory, so provides only the basic components of a type theory 
plus mechanisms which support definitions of more flexible ‘object’ type theories. 
In contrast to (e.g.) ECC, it is a simpler theory and places more constraints upon 
what can be done directly. (See Sect. 3.10 for an example.) The following is a 
brief overview of aspects of LF relevant to the remainder of the paper. 



The LF Kind System. Figure 1 gives the rules for forming kinds in LF. 
Kinds are framework-level types, as distinguished from the object level types 
that a user would be concerned with. There is a distinguished kind Type, which 
signifies the universe of object types. A value of this kind is lifted to kind level 
by the El operator, as per the second rule, to form an “A/-kind”. Given a type A 
(written A : Type), a value t in type A is a member of the ALkind of A, written 
t : El{A). Finally, dependent products are the kinds of functions (the third rule). 
Note that dependent products are not directly equivalent to Pi types of ECC; 
LF provides the vy-rule for dependent products, and dependent products cannot 
be defined inductively (see Sect. 3.10 for a discussion). 



r valid 


r \- A : Type 


r\- K kind E, x:K h K' kind 


r h Type kind 


r h El{A) kind 


r h {x:K)K' kind 



Fig. 1. Kind formation in LF 
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In the paper, we use some notational conveniences: El ‘operators’ are often 
omitted, since type checking can insert them without ambiguity, and write {A)B 
or A ^ B for dependent products where the bound variable does not occur free 
in B. Since we do not discuss object-level type theories (where the users’ types 
occur), we allow the imprecision of calling kinds ‘types’. 



Extending LF. To specify an object theory with LF, new constants must be 
declared and the definitional equality extended to show the behaviour of those 
constants. The constructors and elimination operator of an inductive type are 
an example of the former, and the latter is exemplified by the computation 
rules which describe the elimination process. Note that definitional equality is a 
central concept of LF, and is expressed as a judgement form. 



Inductive Types in LF. The Coq system (and others) provide a ‘case’ con- 
struct for indicating computations over inductive types. LF instead provides 
elimination operators for this purpose. We briefly explain how these are used. 
Generically, uses of them have this form: E C f z. Firstly, elimination over one 
inductive type produces a value of the same type or of another type. The result 
type is encoded by C, e.g. [_ : List]Nat - a transformation from List to Nat, as 
would happen when taking the length of a list. One name for the C argument 
is the elimination family^. Note that elimination families have kind (X)Type, 
signifying that elimination can only produce values in a Type, and not in an 
arbitrary kind. This means that we cannot inductively define a dependent pro- 
duct (see Sect. 3.10). Next, for each constructor there is a ‘function’ fi that 
indicates what to do when that constructor is matched; this has parameters of 
the constructor arguments and the results of elimination over some of those ar- 
guments. In the list length example, nil maps to zero and for cons, the function 
[_ : A][xs':Nat]succ xs' adds one to the length of the list tail. The final z is the 
object to be eliminated. 

2.2 The Schema for Inductive Types 

Chapter 9 of [15] contains a pattern which captures a well-behaved subset of 
inductive types and shows how to generate an elimination operator and compu- 
tation rules for them. It is defined in terms of a language LFg>, which prescribes 
definitional equalities between (identical) constants of the same inductive type^. 

The following schema only covers inductive types. Inductive families may be 
handled by an extension of the schema (see Sect. 9.3.5 of [15] for more infor- 
mation), and parametrized inductive types are obtained by abstracting over the 
final results. The symbol X is a placeholder for the name of the inductive type 
being introduced. The definitions are w.r.t. a context E, but these details have 
been omitted for reasons of space. 

^ McBride [pers. comm.] suggests the alternative term ‘motive’ for them. 

^ The details of LF© are not relevant to the implementation, since we nse concrete 
names thronghout, and constants of the same name are convertible (and names of 
constants must be unique in the context). 
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Relevant Definitions. First, we say that a kind is small if it is either of 
the form El{A) or of the form {x:Ki)K 2 with Ki and K 2 small kinds. A de- 
pendent product is a Strictly Positive Operator w.r.t. X if it has the form 
{xi.Ki)...{xm'-Km)X, with m > 0 and Ki being small kinds in which X does 
not occur free. An inductive schema O w.r.t. (the placeholder) X is of one of the 
following forms: 

1. 0 = X, or 

2. 0 = {x:K)0q, where K is a small kind and 0q is an inductive schema, or 

3. 0 = {<P)0Q, where 0q is an inductive schema and <P is a strictly positive 
operator w.r.t. X. 

An inductive type At[0] is generated by a sequence of inductive schemata 
0 = 01, ...,0n (w.r.t. the same placeholder X which becomes bound in Xi[0]). 
Associated with the inductive type are its introduction operators ii[0] {i = 
1, ...,n) and an elimination operator E[0] with appropriate computation rules. 

The Elimination Operator. Let 0 = {0i, ...,0„) {n G w) be a sequence of 
inductive schemata in P. Define auxiliaries 0°[A,C,z\ and <dA[A,C, f,z\ (latter 
of kind <l>°[A,C,z\^) as follows: 

1. Let 0 = {xi:Mi)...{xm'Mm)X be an inductive schema and the 

subsequence of (Mi , ..., Mm), which consists of the strictly positive operators. 
Then, for A : Type, C:(A)Type and 2 ; : 0[A\-. 

0°[A,C,z] =df {xy.Mi[A])...{xm:Mm[A]) 

[A, C, xq])...« [A, C, X.,]) C(z(xi, ..., Xm)). 

2. Let P = {xi-.Ki)...{xm'Km)X be a strictly positive operator w.r.t. X. Then, 
for A : Type, C : (A)Type, / : {x:A)C{x) and z : <P[A]: 

^\A,C,f,z] =df [xi:Ki]...[xm-Km]f{z{xi,...,Xm))- 

Then, 0 generates an elimination operator E[0] of the following type: 

E[0] : (C:(M[0])Type) 

{h:0°,[M[0],C,ii[0]]) ... iU0l[M[0],C,i40]]) 
{z:M[0])C{z) 

and generates the following n computation rules for i = 1, ...,n: 
E[0](C,/,r,[0](x)) 

= h{x, [M [0] , C, E[0] (C, /) , cri J , .. . , [M [0] , C, E [0] (0, /) , x., ]) 

: 0(l[0](x)) 

where 0i has form (xi'.Mi) ...{xmi'Mmi)X , and is the subsequence 

of (Ml, ..., Mmi) that consists of the strictly positive operators, and / stands for 
/i,...,/„ and X for xi 

® Notice that <P can be regarded as an inductive schema with no strictly positive 
operators, and hence [A, C, z] is defined. 
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An Example. A type Nat of natural numbers can be defined as Nat =dt Nl \0\, 
where 0 = X,{X)X. The introduction operators are 0 =df ii[0] : Nat and 
succ =df i2[0] '■ (Nat) Nat. The elimination operator and computation rules are: 



^Nat ■■ (C:(Aat)Type)(c:C(0)) 

{f :{x: Nat) {C {x))C {succ{x))){z: Nat)C (z) 



^NatiC, C, f,0) = c 

^Nat{C, C, /, SUCC(X)) = f{x, EjVat(C', C, /, x)) 



3 Basic Implementation of Inductive Types 

This section outlines the process of transforming declarations to constants and 
computation rules. The presentation follows the structure of Sect. 2.2, showing 
how each stage is realised in Plastic as Haskell code; the correspondence is quite 
close. (See Sect. 3.3 for a brief explanation of Haskell notation.) The presentation 
mirrors the simple architecture of the implementation: first, analysis collects use- 
ful information in addition to checking the constraints, then synthesis rearranges 
this collected information. Finally, we consider extensions of the basic scheme, 
namely parametrisation, inductive families, and mutually recursive types. 



3.1 Running Example 

We take the inductive type of lists (with a fixed element type A) as a concrete 
example. In the notation of Sect. 2.2, this is introduced by 

List A =df M[X,{A){X)X] 
uUa =df ii[X,{A){X)X\:ListA 
cons A =df >- 2 [N, (A) (a) a] : A — >■ List a List a 

(The elimination operator and computation rules will be presented later.) The 
form of declaration expected by Plastic is shown below. This declaration is the 
starting point of the process. On the notation used in Plastic: LF dependent 
products are shown as (x:A)B, and if the bound variable does not occur free 
in B, then as A -> B, where -> associates to the right. Comments begin with 
— . Function application binds tighter than infix operators (like ->), hence we 
omit unnecessary parentheses. Instead of the placeholder A, we write directly 
the name of the type being introduced. 

[A: Type]; — hypothesis 

Inductive [List:Type] — type name 

Constructors [nil : List] — constructors 

[cons : (x:El A) (xs : List) List]; 
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Note that the declaration depends on a type A. We could write this as a expli- 
citly parametrized type (see Sect. 3.7 for more details). Or we could have chosen 
a simple inductive family (see Sect. 3.8), such as Vectors - lists which record 
their length as the family argument, e.g. vnil : Vec A zero. But the techni- 
ques to be explained do not change significantly when used on these extended 
forms, so we prefer the simpler version. 



3.2 Which Syntax? 

Plastic uses two representations for terms: a concrete syntax for all input - 
including object theory syntax, and an abstract syntax for internal representa- 
tion, which is specialised towards efficient manipulation of LF terms. Thus we 
have a choice of input to the inductive types mechanism: concrete or (possi- 
bly type-checked) abstract. At present, we operate on the concrete form of the 
declaration. This is possible because the transformations can be implemented 
entirely as simple syntax manipulations of a sub-language of LF terms with a 
few additional occurs-checks. Switching to type-checked abstract syntax terms 
may have advantages, e.g. allowing El to be omitted safely, but it will have dis- 
advantages, such as handling the de Bruijn indices. Note that everything arising 
from the inductive declaration is thoroughly type-checked at the end, so there 
is no particular advantage in starting with type-checked declarations. 



3.3 Haskell Preliminaries 

This section gives a brief survey of the Haskell notation used in this paper. 
Fragments of Haskell code are quoted by prefixing each line with symbol >. 

— Tuples are written (’a’ , "b") etc., with their types written (Char, String) 
etc.. The function fst extracts the first component of a pair (2-ary tuple). 

— Lists are written [’a’ , ’b’ , ’c’], with type [Char] . Cons is represented by 
the infix symbol : , Nil is written [] , and List append is ++. 

— List comprehensions are a convenient shorthand for mapping, filtering, and 
concatenation of lists. The following definitions are equivalent: 

> fool ns = [ x * y I x <- ns, y <- ns, x+y < 10 ] 

> foo2 ns 

> = let fl X = map (*x) (filter (\y -> x + y < 10) ns) 

> in concat (map fl ns) 

— Functions can be used as infix operators by quoting them in backticks, e.g. 
id ‘map' [1,2,3] . Unless declared otherwise, these operators are left asso- 
ciative with highest precedence (only exceeded by function application). 

— A double hyphen — marks a comment which extends to the end of the line. 

— Algebraic data- types are introduced with data, and may be pattern matched. 
The following introduces a type of binary trees with integers at the nodes: 

> data Tree = Empty I Tree Int Tree Tree 
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3.4 Auxiliary Definitions 

For the purposes of this paper, the concrete syntax of Plastic is as follows: 



> type Var = String 

> data Term = Nm Var 

> I El Term 

> I Ap Term Term 

> I FO Var Term Term 

> I DP Var Term Term 



— type synonym 

— name 

— El-term 

— application 

— lambda abstraction 

— dependent product 



The Var type is shown as a string here for simplicity; in Plastic, it is a more 
complex type which distinguishes conventional names from symbolic operators, 
infix names, and ‘underscores’ (or nameless bound variables). The following fun- 
ctions assist in building trees of applications, and in building bound terms. 



> ap_ts : : Term -> [Term] -> Term 

> ap_ts = foldl Ap 

> — left nested applications, terms at leaves 

> ap_nms : : Name -> [Name] -> Term 

> ap_nms f as = Nm f ‘ap_ts‘ map Nm as 

> — left nested applications, names at leaves 

> un_bs : : [(Var, Term)] -> Term -> Term 

> un_bs ts t = foldr (\(v,ty) -> DP v ty) t ts 

> — dependent products, from list of bindings 

> un_bs_F0 : : [(Var, Term)] -> Term -> Term 

> un_bs_F0 ts t = foldr (\(v,ty) -> FO v ty) t ts 

> — Icimbda abstractions, from list of bindings 



3.5 Analysis of Declarations 

An example of the concrete syntax for declarations was given in Sect. 3.1. The 
first check is on the inductive type name: for simple types, the declaration must 
have the form [name : Type], a reminder that we are inductively defining an 
element of the kind Type. Secondly, a check is made that none of the constructor 
names occur in the kinds of the constructors; this cannot occur in the 0 notation, 
but with explicit names, the user is able to write it, hence the need to check. 
Then, each constructor is analysed in terms of the following three concepts, 
starting with the inductive schema level and working downwards. 



Small Kinds. A small kind is a kind that does not contain the kind Type, 
so it is either an if [-kind or a dependent product whose domain and range are 
small kinds. The purpose of requiring small kinds is to avoid paradox. 
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Implementation. Checking the smallness of a kind is implemented by recursion 
on the structure of the term, and returns a Boolean value. Notice that we can’t 
define kind- valued functions in LF, so there is no need to check that an expression 
reduces to a dependent product etc. This allows us to use a straightforward 
syntactic check. There is no attempt here to check if the El-kinds are well-formed 
- e.g. to prohibit {El{El X)) - this will be done by later type checking. 

The schema calls for small kinds which do not contain free occurrences of the 
placeholder X] this is not implemented here, but is checked as part of the tests 
for strictly positive operators and inductive schemata as an explicit occurs-check. 



Strictly Positive Operators. A strictly positive operator (SPO) is a kind of 
form with m > 0 and Ki being small kinds in which X, 

the name of the inductive type, does not occur free. 

Implementation. The test for a SPO is a simple structural recursion plus an 
occurs-check on the small kinds; as above, we do not need to consider reduction, 
since LF does not contain kind- valued functions. The occurs check is also a 
simple structural recursion; since we are working in concrete syntax, this is just 
a tree traversal which looks for a specific name in a non-binder position and 
ignores subtrees where the name is bound. 

We retain information about the dependent product bindings for later use, 
and keep it in the following data structure; it is the series of bindings represented 
as a list of pairs {xi,Ki) of bound variable name and its kind: 

> data SPO = SPO [(Var, Term)] 



Inductive Schemata. This is the top level of a constructor’s kind, indicating 
that the constructor may take non-recursive arguments (as small kinds) and 
recursive arguments (strictly positive operators), and return a value in the type 
X. An inductive schema 0 w.r.t. a placeholder X has one of the following forms: 

1. 0 = X 

2. 0 = {x:K)0q, where AT is a small kind that does not contain X, and 0q is 
an inductive schema w.r.t. X 

3. 0 = {<P)0Q, where 0q is an inductive schema and <P is a strictly positive 
operator, both w.r.t. X. 

Implementation. Checking for an inductive schema is also implemented as struc- 
tural recursion with occurs-checks. The main difference is the information collec- 
ted; we represent all bindings as above, plus the information from the subset 
which are strictly positive operators: 

> data ISch = ISch [(Var, Term)] [(Var, SPO)] 

This is a two-field algebraic data type. The second field is derivable from the 
first (the first represents all bindings), so we could regenerate this information 
later, but storing it in this form is convenient. 
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Case (3) above indicates non-dependence (i.e., no bound variable), but the 
data structure explicitly requires one. This is deliberate; we require users to give 
explicit and unique names to all bindings in their declarations of inductive types. 
The generated constants will then use names selected by the user and meaningful 
to them, rather than automatically generated names (xl, x2, etc.). 

The explicit naming means extra checks are required to maintain adherence 
to the schema. Specifically, the problem is that a bound name with strictly 
positive operator kind can occur in 0q (this problem is similar to the issue of 
constructor names occuring in the kinds of the other constructors). That is, 
expressions of the following form might occur, where <P is a, valid SPO: 

e={x: <P){y : K)X 

The problem is that the explicitly given name x may occur in K. However, it is 
impossible for the bound name of SPO kind to occur in a well-typed range (i.e., 
the 0Q kind). K itself cannot be x because F,x ■. \~ x kind is not derivable. 

The only place x can occur is as an argument to some function. But in F, there 
are no (monomorphic) functions which can take a value in the inductive type 
being defined, because the type name has not been declared yet. Neither could 
a polymorphic function be used (such as id:{A:Type){a:A)A), since the name of 
the inductive type would occur in its arguments, and this would be caught by 
the occurs-checks. Hence, no explicit check has been implemented in Plastic. 



Remark. We can view the concepts above as a grammar for valid constructor 
kinds. The implementation can be regarded as a parser for this language, with 
the semantic action of representing the structure in a more convenient form. 



3.6 Creation of Elimination Operator and Rules 



The first step is to declare the constants (type and constructor names) from 
the inductive type declaration. Initially these are treated as simple hypotheses. 
The type of the elimination operator is then constructed and declared as a 
hypothesis. Finally, we generate a computation rule for each constructor, and 
check the validity of its type in the context of the previous declarations. The 
detailed treatment of computation rules is postponed until Sect. 5. Observe that 
type checking supplements the prior analysis, implicitly doing some of the tests 
that are difficult on concrete syntax. 

For reference, below is the analysis result for the List example, which is the 
input to this stage, followed by the output - the type of the elimination operator 
and its computation rules: 



> ischs 

> 

> 

> 

> 

> 



[ ISch 




— for nil 




[] 


— no bindings 




[] 


— so no SPDs 


, ISch 


r ^ 1 


— for cons 



[("x", El "A"), ("xs", "List")] — two bindings 
[("xs", SPO [])] ] — ’xs’ is a SPO 
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E_List : (C_List:El List -> Type) 

El (C_List nil) -> 

( 

(x;El A) 

(xs:El List) 

El (C_List xs) -> 

El (C_List (cons x xs))) -> 
(z:El List) 

El (C_List z) 



elimination family 
case function f_nil 
case function f_cons 

— constr arg 

— constr arg 

— recursive arg 

— result 

value to be eliminated 
overall result 



E_List C f_nil f_cons nil 
= f_nil 



comp . 



rule for nil 



E_List C f_nil f_cons (cons x xs) — comp. 

= f_cons X xs (E_List C f_nil f_cons xs) 



rule for cons 



Creation of the Elimination Operator. The type of the elimination operator 
is created by simple transformation of the collected ISch information of the 
constructors. These structures hold the relevant information in a convenient 
form, so the construction is straightforward. 

Strictly Positive Operators. These can be treated as inductive schemata with- 
out strictly positive operators and whose binding is non-dependent (hence the 
nameless variable underscore"^), hence we just use the function for inductive 
schemata, which we will explain next. The argument cjname is the bound name 
for the elimination family. 

> spo_type : : Var -> (Var, SPD) -> (Var, Term) 

> spo_type c_name (nm, SPD bs) 

> = (underscore, isch_type c_name (nm, ISch bs [] ) ) 

Inductive Schemata. Function isch_type produces the type of the function 
which is applied to a constructor’s arguments and the results of recursion via the 
strictly positive operators. There appears to be no good name for such functions, 
so we use the term “case function” . Informally, the type of the case function is 
a dependent product, one binding per constructor argument then one binding 
per recursive call, ending with C{c xi...Xn), where C is the elimination family, c 
the constructor, and Xi the constructor arguments. The bindings are constructed 
from the ISch value; the normal bindings are unchanged, and bindings for the 
SPOs are created with spo_type. The result type comes from applying the elimi- 
nation family to the constructor applied to its arguments. We build an LF term 
by changing the list of bindings to a nested dependent product with function 
un_bs (see Sect. 3.4). The overall result is a binding, where the bound variable 
is the constructor name prefixed by f_. 

^ We could also use some name derived from the bound name, e.g. prefixed with ‘r’ 
as a reminder that this variable results from a recursive call. 
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> isch_type ; ; Var -> (Var, ISch) -> (Var, Term) 

> isch_type c_name (nm, ISch bs spos) 

> = (f_name nm, 

> un_bs (bs ++ map (spo_type c_name) spos) c_result) 

> where 

> c_result = Ap c_name (nm ‘ap_nms' map fst bs) — C(c(xl-xn)) 

> f_name n = "f_" ++ n 

Inductive Schemata. The main function mk_elim takes the name of the induc- 
tive type and the list of ISch values, each paired with the constructor name. 
Again, we assemble the bindings (first the elimination family, then a case func- 
tion for each constructor, and then the target of elimination), and use un_bs 
to produce a dependent product term. The variable name binding the elimina- 
tion family is the type name prefixed with C_. Notice that the elimination family 
has kind (_ : A)Type. The significance of this is explored in Sect. 3.10. 

> mk_elim : : String -> [(Var, ISch)] -> Term 

> mk_elim type_name is 

> = un_bs ( [(c_nm, c_type)] 

> ++ [isch_type c_nm i I i <- is ] 

> ++ [("z", type_name)l 

> ) (Ap c_nm "z") 

> where 

> c_nm = "C_" ++ type_name 

> c_type = DP underscore type_name Type 

Creation of the Computation Rules. The process is similar to that for the 
elimination operator type, as it synthesises terms from the set of ISch values. We 
first consider recursive calls. All of these have the form of a fixed ‘prefix’ applied 
to varying arguments, where the prefix is E[6*](C, /), the elimination operator 
applied to the elimination family and the n case functions. The form of this 
prefix does not change in recursive calls, so we construct the term once and pass 
it to the other rule-constructing functions. Function mk_e_prefix constructs the 
prefix, which is passed as the e_pref ix argument of the later functions. 

> mk_e_prefix :: Var -> Var -> [(Var, ISch)] -> Term 

> mk_e_prefix e_name c_name is 

> = e_nEmie ‘ap_rims‘ (c_name : map fst is) — E(C, fl, ..., fn) 

Strictly Positive Operators. Recall that SPOs in an inductive schema embody 
recursion, so we must construct a call via the e_pref ix. SPOs also take a number 
of small kind arguments too. In phi_nat, the SPO arguments are converted to 
LF’s lambda-bindings (un_bs_F0 does this, given a list of bindings and a body), 
and then the e_prefix is applied to the name of the SPO after it is applied 

® The name « is actually hard-coded in Plastic, and there is a chance that a parameter 
of the inductive type can clash with this fixed name. We make no attempt to handle 
clashes of names, requiring the user to choose distinct names, and also to avoid a. 
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to the bound names. Alternatively, if has form {yi'.Ki) , then the 
result is {[yi\Ki]..\ym-Km](,E C /)(s yi-.-ym))- 

> phi_nat : : Term -> (Var, SPD) -> Term 

> phi_nat e_prefix (nm, SPO bs) 

> = un_bs_F0 bs (Ap e_prefix (nm 'ap_nms‘ map fst bs)) 

Inductive Schemata. The process for ISch is simpler: we just apply the relevant 
function (named by prefixing the constructor name with f _) to the normal con- 
structor arguments and then to the results of the recursive calls arising from the 
SPOs. Example output is shown at the start of this section, for the List example. 

> construct_rule : : Term -> (Var, ISch) -> Term 

> construct_rule e_prefix (nm, ISch bs spos) 

> = f_name nm 'ap_nms‘ constr_args ‘ap_ts' recursive_args 

> where 

> constr_args = map fst bs 

> recursive_args = map (phi_nat e_prefix) spos 

> f_name n = "f_" ++ n 

The actual implementation is slightly more complex; it also stores informa- 
tion about the free names in the result of construct_ruIe, with their types. 
This is explained further in Sect. 5. 

3.7 Parametrized Types 

Declarations record parameters by listing them before the inductive type name, 
as shown below. One technique for implementing parametrisation is to first pro- 
cess the declaration in the context of assumed parameters, then to discharge 
those parameters. Currently, Plastic does not have a full discharge tactic. 

Inductive [A: Type] [List: Type] 

Constructors [nil : List] 

[cons : (x : El A) (xs : List) List] ; 

We use a direct method, where parametrisation is treated as an abbreviation 
for the explicit form. It is much easier to insert the extra parameters (or bindings 
for them, in type expressions) directly in the appropriate places in the terms 
constructed, and this has some advantages in implementing some of the later 
optimisations. The technique is straightforward; for example, bindings for the 
parameters are inserted as the first parameters for elimination operators, and 
occurrences of the inductive type name are suffixed with the new bound names. 

3.8 Inductive Families 

These are a generalisation of inductive types, where the entity being defined is 
a family of types, rather than just the kind Type. The family arguments vary 
according to a constructor and its arguments. A nice example is of Vectors, where 
the length of the vector is carried as the family argument, as shown below: 
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Inductive 

[A: Type] 

[Vec:(n:El Nat) Type] 

Constructors 

[vnil : Vec (zero) ] 

[vcons:(m:El Nat)(x:El A) (xs:Vec(m))Vec(succ(m))] ; 

The extended schema is outlined at the end of [15], and inductive families 
have been implemented in Plastic. To extend the implementation here is straight- 
forward: it just involves storing more information and inserting it appropriately 
in the constructed terms. Recall that strictly positive operators and inductive 
schemata were defined in terms of X. Now, we have X(pi...pk), and must store 
the particular family arguments p\...pk for each occurrence of X - achieved by 
extending the data types above and changing the simple checks on X to ones 
that return the family information. Later, the Synthesis phase can just read off 
the required information. 

3.9 Mutually Recursive Types and Inductive Propositions 

Simple forms of mutually recursive types, e.g. a set T of mutually defined types 
whose constructors can recurse over values in any type in T, are possible by 
extension of the above framework, and a form of this has been implemented 
in Lego. They have not been implemented in Plastic, but we do not envisage 
difficulties, and expect the work required to be possible by minimal changes to 
the above techniques, such as carrying some extra information. We have not 
considered more complex forms of mutual recursion. Inductive propositions, as 
implemented in Lego, are expected to be straightforwardly implementable; the 
main difference is that instead of defining a type in Type, one is defining an 
entity in the universe Prop of propositions (where Prop : Type). 

3.10 Inductive II Types 

As a final example, and to illustrate an important feature of LF’s inductive types, 
we consider the problem of defining equality eq^at on natural numbers, with kind 
{x : Nat){y : Nat) Bool. With elimination operators, the usual technique is to 
do induction over the x to define a 1-ary predicate over Nat. That requires an 
elimination family [x:Nat]Nat — >■ Bool. But this is not allowed, since Nat — >■ 
Bool is a kind and not a Type. We must introduce an inductive type which 
represents the required function, hence the inductive type Pi: 

Inductive [A:Type] [B: (x:A)Type] [Pi:Type] 

Constructors [La : (f : (y:A) B y) Pi]; 

[ap = — (defined by elimination) 

: (A:Type)(B:A -> Type) Pi A B -> (x:A) B x ]; 

We can now refine the subgoal ?i : Nat -> Bool with ap, to give a new sub- 
goal ?j : Pi Nat ( [y: Nat] Bool) which we can solve with elimination, using 
the family {[x:Nat]II{Nat, [y: Nat] Bool)). 
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Plastic does implement forms of sugaring for U and related type constructors 
(e.g. V in second order logic), plus we could also use a simpler, non-dependent 
form of the 77-type. But the added complication is an intended consequence of 
LF, and reinforces that LF is not meant to be used directly. How to implement 
a user-friendly object level theory is a significant part of our current research. 

4 A Property of Computation Rules 

4.1 The Problem 

Readers may have realised that parametrisation leads to duplication of para- 
meters in the computation rules, e.g. the rule for nil, where the ’A’ appears 
twice. 

E_List A C f_nil f_cons (nil A) = f_nil 



At first sight, it appears that elimination of inductive types requires non- 
linear pattern matching. One consequence is to complicate the reduction process, 
since we have to perform a (framework-level) conversion test before allowing 
the reduction. So, when testing the term (E_List A tl t2 t3 (nil B)) for 
reducibility, we would have to test convertibility of A and B. Pollack [pers. 
comm.] noticed this problem in his work on Lego: he relies on implicit syntax 
in this case, shifting the problem of pattern matching to solvability of meta- 
variables. 

But, what happens if the conversion fails? Since each constructor has just one 
possible elimination, then there is no valid alternative apart from failure (i.e., 
_L). This doesn’t fit in a language with strong normalisation. We observe: given 
the way the type of the elimination operators are constructed, it is impossible 
to construct an expression where conversion would fail, because that expression 
would be ill-typed. 

So, we claim the following: type checking guarantees that the conversion will 
succeed, because type checking must have done the required conversions anyway. 
This allows the implementation to ignore the second occurrence of the repeated 
arguments and treat the pattern as linear. 



4.2 Outline of Proof 

We consider the case of parametrized inductive types (i.e., not an inductive 
family), in LF extended with the scheme for inductive types. It makes use of three 
results from [10], Uniqueness of Kinds and the equivalence between conversion 
and judgemental equality, plus the Church-Rosser property for conversion. 



(Uniqueness of Kinds) 



M : K rV^ M ■. K' 
r'r K = K' 



(Conv-Eq) 



M = M' : K 



M ciM' 
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Let X be a parametrized inductive type; Let X be a parametrized inductive 
type; a constructor of X has kind of general form (1), and the elimination ope- 
rator has kind of general form (2), where R are the types of the parameters to 
the inductive type, B are the types of the arguments to constructor c, and F 
are the types of the case functions of the elimination operator. 

c : (f : R){b : B)X f (1) 

Ex:{f : R){C : {z ■. X f) Type)(/ : F){z:X f) C z (2) 

Eliminations have form {Ex P C f) applied to a term (c q a), where c is a 
constructor of X. The parameters are represented by p and q, both containing m 
terms. We want to show that if the elimination is well-typed then p is convertible 
with q, which allows us to avoid convertibility checks in pattern matching. 

{ExpCj):{z:Xp)Cz (3) 

{cqa):Xq (4) 

Since the elimination is well typed, the term (c q a) of type {X q) also admits 
the type {X p), since this is the type required for the target of elimination: 

cq a : X p 

cq a : X q 

By the Uniqueness of Kinds theorem stated above, this implies that {X p) and 
{X q) are judgementally equal. By Conv-Eq, we have the following: 

XpziXq 

X is a constant, hence both terms above are irreducible. Using the Church-Rosser 
property for the above implies the required result, that p zzq. 

The case for inductive families is more complex, since unlike simple para- 
meters which appear unmodified in the types, the family arguments may be 
modified. For example, in Vectors and the case for vcons, the pattern matching 
on n is dependent on the family argument matching {succ n). We believe the 
above proof can be extended to the case of parametrized inductive families. 

E_V A C f_vnil f_vcons (succ n) (vcons Anal) 

==> f_vcons n a 1 (E_V A C f_vnil f_vcons n 1) 



5 Technical Details and Optimisations 

5.1 Internal Representation and Mechanism 

All of the computation rule equations have the form of an elimination operator 
applied to several arguments, ending with a constructor that itself may have 
several arguments. These are rewritten as LF A-abstraction terms which take 
the non-constructor arguments of the eliminator plus the arguments of the con- 
structor (with the repeated arguments ignored, as per the proposition of Sect. 
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4), and return the right-hand side of the rule. These are called the “reduction” 
functions. 

For example, consider the list constructor cons, parametrized by type A. The 
reduction function f is shown in Haskell notation (the LF version with explicit 
type labels is much longer) . Notice that the second A has become an underscore 
(nameless variable). 

E_List A C f_nil f_cons (cons A x xs) — computation 

= f_cons X xs (E_List A C f_nil f_cons xs) — rule 

f = \ A C f_nil f_cons _ x xs -> 

f_cons X xs (E_List A C f_nil f_cons xs) 

Iota reduction is only attempted if beta-reduction and delta-reduction (defi- 
nition unfolding) are not applicable. An expression (M iVi...fV„) is an iota redex 
if M is an eliminator of arity n, and Nn is a constructor application (c x) (under 
reduction to iota-delta-beta whnf). The reduction function of the constructor is 
then applied to A^i...A^„_i plus the arguments x of the constructor and reduced 
to beta whnf; this whnf is the result of the reduction. The purpose of the beta 
reductions is to substitute the parameters throughout the reduction function 
body, leaving us with the right-hand side of the computation rule. It does not 
do any of the computation specified by the case functions. 

To avoid repeated context lookup, the internal representation of an elimi- 
nation operator contains its arity, and constructors contain their reduction fun- 
ctions. Notice that the constructors may have occurrences of their eliminator 
in their reduction functions, and the type of the eliminator will contain the 
constructors. Thus, care must be taken when adding the new constants in this 
form to the context so that the internal representations of all occurrences of the 
symbols are correctly created. 



5.2 Optimisations 

Several aspects of iota reduction allow nice optimisations. In addition to well- 
known techniques like performing as many simultaneous beta reductions as pos- 
sible (which avoids repeated adjustment of de Bruijn indices), we are getting 
excellent results with the techniques listed below. 

These optimisations were developed by analysing Plastic’s performance with 
the GHC compiler’s profiling tools [22], and studying the bottlenecks. This in- 
dicated what the expensive or repeatedly performed steps in computation were, 
and thus showed the actual inefficiencies in the algorithms as opposed to those 
we believed were problematic. By far, the major cost is manipulation of de Bruijn 
indices; several of the optimisations implemented do reduce this significantly, but 
there is still room for improvement. 

— For the elimination expressions on the right hand sides of computation rules 
(i.e., which perform recursive calls), arity checking is not required. Occur- 
rences of elimination operators in the rules are always fully applied. 




Implementation Techniques for Inductive Types in Plastic 



111 



— “Partial reflection”: instead of using LF-level reduction, part of the work 
of the reduction functions is done at the Haskell level. Some of the work of 
beta reduction is done once and kept for certain terms, and the results used 
whenever the term is. Note that despite this and other optimisations. Plastic 
still behaves like other proof assistants, i.e. will not do reductions unless they 
are forced, and only do a single step at a time. 

— Closed terms admit a simpler process of substitution. Such terms, when fully 
applied, make use of an optimised substitution function which avoids certain 
manipulations of de Bruijn indices. 

— The internal reduction functions are a special case of closed terms, allowing 
a still-simpler substitution to be done. 

— Binder prefix memoisation: terms with a binder prefix are associated with 
a count of the binders, allowing simultaneous reduction and a simplified 
substitution to be done if the term is fully applied. (This happens regularly 
in eliminations, consequently this step significantly improves speed.) 

— Lastly, some key Haskell functions were carefully rewritten to make best use 
of non-strictness. This means that such functions now do the least compu- 
tation possible before choosing the next step of computation. On the other 
hand, parts of the abstract syntax have been made explicitly strict, which 
reduces some overheads in their use - for example, there is no advantage in 
storing de Bruijn indices in a non-strict way. 

We have some more optimisations in mind: 

— Full reflection for common classes of inductive type. That is, the reduction 
functions of some types will be implemented by their equivalent implemen- 
tation language version. Typically, this will be used for common types such 
as data structures, enumerations. Pi, Sigma, Nat etc. Such types, especially 
Pi and Sigma, will be heavily used in LF implementations of object theories. 

— Compilation of all terms to more efficient forms. Thus terms may end up with 
a standard “display form” and an internal form for efficient computation. 

— Representing recursive elimination calls in a form which avoids more work 
in iota reduction. Essentially, most of the arguments in an elimination call 
do not change, and it is possible to improve the substitution of these. 



6 Discussion 

We have implemented a subset of inductive families based on recursion through 
strictly positive operators, which are manipulated by elimination operators, and 
achieved respectable performance from the implementation with some simple 
optimisations. Whilst the inductive families implemented lack the generality of 
Coq’s inductive families [9], or the flexibility of McBride’s tactics [19], they are 
adequate for our current uses of Plastic. 

We also claim that the technique used to analyse declarations and to con- 
struct the elimination operator etc. is clear and easily understood, and will pro- 
vide a useful alternative view to the mathematical presentation. A property of 
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the schema for inductive types concerning linearity of pattern matching has been 
identified and documented, with an outline proof of the property. 

The work raises some interesting questions for future consideration. Of par- 
ticular interest is to study the behaviour of strict implementations compared to 
non-strict implementations on typical proof assistant tasks. Such studies could 
help understand the computational implications of computation in type theo- 
ries, and lead to better algorithms. For example, it is generally accepted that de 
Bruijn indices are a necessary technique, but we do not know of studies which 
investigate this question in detail. But at present, providing better tools for wor- 
king with inductive types, such as automatic generation of standard theorems 
and powerful tactics [19], is of greater importance. 

Acknowledgements. We would like to thank members of the Durham Compu- 
ter Assisted Reasoning Group (CARG) for comments on drafts. The first author 
would also like to thank Zhaohui Luo for his continuing encouragement on Pla- 
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referees, one of whom was particularly helpful. 
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Abstract. We define constructive real numbers in the logical framework 
Coq using streams, i.e. infinite sequences of digits. Co-inductive types 
and co-inductive proofs permit to work naturally on this representation. 
We prove our representation satisfies a set of basic properties which we 
propose as a set of axioms for constructive real numbers. 



1 Introduction 

The aim of this work is to experiment a co-inductive representation of Real Num- 
bers in the context of Logical Frameworks, i.e. interactive proof assistants based 
on T}rpe Theory. This is an effort towards computer assisted formal reasoning 
on real numbers and it should provide a workbench for specifying and certifying 
lazy exact algorithms on them. 

Several computer aided formalizations of analysis exist in literature. Chirimar 
and Howe [CH92] have developed analysis following the constructive approach 
to mathematics of Bishop [Bis67]: they represent real numbers by Cauchy se- 
quences and prove the completeness theorem using the Nuprl system [Con86]. 
Jones [Jon9f] has given some theorems of constructive analysis in Lego [Pol94]. 
More recently, Harrison [Har96] have presented a significant part of the classical 
analysis in the context of the Isabelle-HOL system [GM93] , introducing the reals 
by means of a technique closely related to the Cantor’s classical method. Ceder- 
quist, Coquand and Negri [Ced97] have studied constructive analysis using a 
point- free topology approach. They prove constructively the Hahn-Banach theo- 
rem in an intensional Martin-Lof’s type theory and certify such a proof by Half 
[Mag95], 

The main difference between our approach and the previous ones consists 
both in the representation chosen for reals and in the logical framework we use. 

We represent real numbers by potentially infinite sequences — i.e. streams — 
of 3 digits: {0, 1, —1}. This representation is close to those adopted in the field 
of exact computation. In recent years there has been growing interest in exact 
real number computation [Wei96,PEE97,Sim98]: this approach allows to produce 
arbitrary precision results from data — thus avoiding round off errors typical 
of limited precision practice — without having to carry out any independent 
error analysis. Since exact computation is among other motivated by software 
reliability reasons, it is important to certify the correctness of the algorithms 
performing exact computation on real numbers. 



T. Coquand et al. (Eds.): TYPES’99, LNCS 1956, pp. 114-130, 2000. 
@ Springer- Verlag Berlin Heidelberg 2000 
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We decide to use the logical framework Coq [INROO] to carry out our rese- 
arch. This choice is motivated by the fact that Coq allows a “natural” encoding 
of streams as infinite objects inhabiting co-inductive types; correspondly, it pro- 
vides useful techniques for dealing with co-induction proof theory, such as the 
tactic Cofix. Our work is carried out in a constructive logic setting; up to now, 
it has not been necessary to use the Axiom of Excluded Middle, even if it could 
probably simplify some of the formal proofs we have developed. 

The main line of our research is the following: we start representing real 
numbers by streams; then we define (co-)inductively on streams the notions of 
strict order (Less), addition (Add) and multiplication (Mult). We prove formally 
in Coq that these definitions satisfy a set of properties: we claim such properties 
can be taken as a set of axioms characterizing the constructive real numbers. 
We substantiate this claim by proving that most of the basic properties of con- 
structive real numbers can be deduced from our axioms. 

The paper is structured as follows. Sections 2 and 3 respectively introduce and 
justify our representation of real numbers, which is then enriched by means of 
other notions in section 4. A central importance in the article has the discussion 
about the setting of a (minimal) set of axioms characterizing constructive real 
numbers. This topic is undertaken in section 5 and continues after. The last 
sections present the formalization and the study of the theory in Coq. 

Acknowledgement. We wish to thank the anonymous referees for the useful 
suggestions and the careful reading of the paper. We thank also Furio Honsell 
and Herman Geuvers for interesting discussions. 

2 Real Numbers 

Many classical constructions of real numbers exist in literature: Cauchy sequen- 
ces of rational numbers, Cauchy sequences of rational p-adic numbers. Dedekind 
cuts in the field of rationals, infinite decimal expansions, and so on. All such 
methods turn out to be equivalent, in the sense that they give rise to isomorphic 
structures. Many of these constructions can also be formulated in a constructive 
approach to mathematics, but in this case we don’t always obtain isomorphic 
structures — e.g. constructive reals via Cauchy sequences differ from the con- 
structive reals through Dedekind’s cuts [TvD88]. 

In this work we will construct real numbers using infinite sequences of digits, 
i.e. “infinite expansions” . It is a well known phenomenon that standard positional 
notations make arithmetic operations on real numbers not computable [Bro24]. 
A classical solution to this problem is to adopt redunda/at representations: in a 
redundant representation a real number enjoys more than one representation. 
We decide to use here a signed-digit notation: we add the negative digit —1 to 
the binary digits 0 and 1 of the standard binary notation, maintaining 2 as the 
value for the base. 

We are going now to introduce the basic ingredients of our work. In order to 
explain and motivate our definitions we will refer to a field of the real numbers 
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]R: this use of an already given field is not essential in our construction, but helps 
to understand the intended meaning of the definitions. Moreover, in section 3 
we will use the same IR to give an external proof that the given definitions 
are correct. In this proof we will make use of simple arithmetic properties that 
are valid also for the constructive reals. It follows that no matter which field is 
chosen for J?: it could be either the classical or the constructive one [TvD88]. 
A notational issue: from now on we will use as a justaposition operator for 
digits. 

Definition 1. (Ternary streams) 

Let str be the set of the infinite sequences built of ternary digits: 

str = {ai : a ,2 '■ a,s : . . . | V* G N^. a,i G {0, 1, —1} } 

The elements of str represent the real numbers via the interpretation function 
I Jstr : str — ^ IR, defined as: 

|(2l . (22 . (23 . . . . ^str ^ ^ ^ a-i • 2 

i£N+ 

We will use a,b,c, . . . as metavariables ranging on ternary digits and x,y, z, . . . 
as metavariables for streams. 

Using ternary streams we can represent any real number belonging to the closed 
interval [—1, 1]; it is not difficult to see that any element of the open interval 
( — 1,1) is represented by an infinite number of different streams. In order to dis- 
pose of arbitrarily large reals it is necessary to use a mantissa-exponent notation: 
we encode a real number by a pair {natural, stream), which we call “R-pair”. 

Definition 2. (R-pairs) 

Let R be the set (JV x str). 

The elements of R represent the read numbers via the interpretation function 
I J/j : i? — ^ IR, defined as: 



l(n, x)]fi = 2” • 

We will use r,s,t, . . . as metavariables ranging on R. 

In order to complete our construction of real numbers it is necessary to pro- 
vide R with an order relation and a field structure: actually, the real line is 
completely determined by the binary “strict order” relation (<) and the func- 
tions of “addition” and “multiplication” . 

We have considered several different possible definitions for order, addition 
and multiplication in our research: at the end, we have chosen to describe not 
only the order, but also addition and multiplication using predicates rather than 
functions. This choice is due to the fact that the predicates are simpler to define. 
An intuitive motivation for this is that functions are requested to be “productive” 
— i.e. they must supply a method to effectively calculate the result, given the 
input. On the contrary, a predicate just specifies the constrains that the output 
has to satisfy w.r.t. input: it follows that it is a simpler task to prove the formal 
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properties of the predicates. Anyway, we will introduce the functions too and we 
will prove they are coherent with respect to the predicates. One can interpret this 
fact saying the implementation (algorithms, functions) satisfy the specification 
(predicates). 

We have found that the lenght and the complexity of the formal proofs is 
greatly affected by the pattern of the definitions: quite frequently the proofs 
are obtained by structural (co-)induction on the derivations, so the number 
of the cases to consider increases together with the number of constructors of 
the predicate involved. In order to simplify the proofs, we have formalized the 
(co-)inductive predicates using at most two constructors, thus reducing the cases 
to analyze. 

We claim that these considerations about complexity of proofs have general 
meaning and are not specific to the particular proof assistant we have used: in 
fact, the proofs developed in Coq are just a completely detailed version of the 
proofs that we would write with paper and pencil. 

Let now resume our goal: to define order, addition and multiplication. 

The strict order is defined by induction/, this is possible because, given two R- 
pairs, we can semi-decide whether the first is smaller than the second just by 
examinating a finite number of digits. The binary strict order relation on streams 
is defined in terms of an auxiliary ternary relation less^aux C (str x str x Z), 
whose intended meaning is: 

less.aux{x,y,i) (Hstr < [yjstr + 0 

This auxiliary predicate permits to define more simply the main predicate of 
order on streams. In particular, using the integer parameter i we are able to 
do simpler proofs, because the extensive case analysis on the ternary digits is 
replaced by proofs over integers. 

Definition 3. (Order on streams) 

The predicate lessjiux C (str x .str x Z) is defined inductively by the two rules: 



LESS-BASE 7 

less-aux[x, y, big) 



where big = 32 



LESS-IND 



lesswjMxf x, y, i) (* + a) < {2j + 6) 
less_aux{a : x, b \ y, j) 



The predicate lessgtr C (str x str) is defined as: 

lesSstr{x,y) =def less.aux{x,y,0) 

The above definition requires some discussion. Referring to the intended meaning 
it is simple to see that the base rule is valid for any value of the parameter big 
greater than 2: a natural choice for big would be the integer 3, but any greater 
value gives rise to an equivalent definition. We have found that greater values 
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simplify several proofs built by structural induction on the judgments of the kind 
less-aux(x, y, i). We have arbitrarily fixed hig to 32. 

It is immediate to see the base rule is correct. 

The induction rule can be informally justified by a simple calculation: 

|a . xjsjr A (P • ylstr T j) ^ 

+ ([a^lstr/2) < 6/2 + (|y]sjr/2) + i ^ 

A |y|sir T 2/ T 6 Cl ^ 

3b (|x]str < lyjstr + i) A (i + a, < 2j + b) 

The strict order relation can now be easily extended to R-pairs. 



Definition 4. (Order on R-pairs) 

The predicate Less C [R x R) is defined as: 

Less{{m,x), {n,y)) =def lesSstrj O : ■ ■ ■ : Q : a:, 0 : . . . : 0 : y) 

n m 



On the contrary with respect to the order, the arithmetic predicates are de- 
fined by co-induction, because the process of adding or multiplying two real 
numbers is considered non terminating. Co-inductive predicates originate judge- 
ments that can be proved by “infinitary” proofs, which are built using infinitely 
many times the corresponding introduction rules [Coq93,Gim94]. 

The predicates of addition and multiplication have the following pattern: 

predicate{operandi, opera,nd 2 , result). 

We start from addition: as we have done for the order relation, we first define 
an auxiliary predicate on streams. The relation add-aux C (str x str x str x Z) 
has intended meaning: 

add.aux{x,y,z,i) (Wstr + Mstr) = (Wstr +*)• 



Definition 5. (Addition) 

The predicate add-aux C (str x .str x .str x Z) is defined by the co-inductive rule: 

add-auxlx, y, z, (2i -\- c — a, — b)) (—big < i < big) 

ADD-COIND ; 

add_aux(a : x, b \ y, c \ z, i) 

The addition predicate on streams a, deists C (str x .str x str) is defined as: 
addstr(x,y, z) =def add-aux(x,y, z,Q) 

The addition predicate on R-pairs Add G (R x R x R) is defined as: 
Add({m,x),{n,y),(p,z)) =def addstr (0 . . . Q : x, 0 : . . . : 0 : y, 0 : . . . : 0 : z) 



n+p 



m+p 



m+n 




A Co-inductive Approach to Real Numbers 



119 



The side-condition {—big < i < big) bas been introduced in order the re- 
lation add-aux is not total — otherwise one can easily prove the judgement 
add-aux{x,y, z,i) for any tuple x,y,z,i. Again, values of big greater than 3 
give rise to equivalent conditions, but lead to simpler proofs. 

The co-inductive rule can be informally justified by the calculation: 

(|u . T |6 . yjsir) = (|c . ^Jsir T i) ^ 

+ ([a^]str/2) + &/2 + ([y]str/2) = c/2 + (|z]str/2) + * ^ 

|:^|sir T |y|sir ^ l^lsir T 2iTc (I b 

The multiplication predicate is defined in terms of that of addition. This time 
we need also to define an auxiliary multiplication between digits and streams. 

Definition 6. (Multiplication) 

The function timeSfi str • {~lj 0, 1} x str — ^ str is defined by co-recursion as: 

timesd,str{a, {b : x)) =def {a ■ b) : {timesd,str{a,x)) 

The multiplication predicate on streams multstr C {str x str x str) is defined by 
the co-inductive rule: 

mult str {x,y,w) cj,ddstr{0 '■ times d str {(^-tV), 0 : w, z) 

MULT-COIND ; 

multstr {O' '■ X, y, z) 

The multiplication predicate on R-pairs Mult G {R x R x R) is defined as: 
Mult{{m, x), (n, y), (p, z)) =def mult str { P ■ ■ — ■ Q : x, p : : 0 : y, p : : 0 : z) 

p p m+n 

The multiplication predicate multstr can be informally justified by calcula- 
tions similar to those we have detailed for order and addition. 



3 Adequacy 

In this section we address the question of the adequacy of the definitions we 
have given for order, addition and multiplication. We present here two different 
approaches to justify our construction: the first argument is internal-axiomatic, 
the second external-semantic. 

Using the first approach we will going to show the definitions of order, ad- 
dition and multiplication satisfy all the standard properties valid for the real 
numbers. This proof is carried out in Coq. A limitation of this approach lies in 
the fact that so far there exists no standard axiomatization for the construc- 
tive reals. Another disadvantage relies on the heaviness of the proof editing: the 
formal proof of all the basic properties is actually a long and tiring job. In our 
attempt we have almost accomplished this internal proof of adequacy, which will 
be presented in section 7. 

The semantic argument works as follows. In the construction of the previous 
section we have specified the intended meaning of the sets and the predicates 
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referring to an external model for the real numbers. It follows that we can justify 
our predicates by proving that their specification is sound and complete with 
respect to this external model. This proof makes use of some basic fundamental 
properties which also hold for the constructive reals. It has not been formalized 
in Coq, but we conjecture that it could be possible, using an already existing 
formalization of the real numbers — for example the classical axiomatization 
provided by the library Reals. 

This section is just devoted to the proof of the external adequacy. In the 
proofs below we don’t need to specify whether the external model IR is the 
classical or the constructive one: this omission is motivated by the fact that the 
order relation is the same for both models. 

Proposition 1. (Adequacy of order) 

The rules for the order predicate are sound and complete. That is, for any couple 
of R-pairs r, s: Lessor, s) can be derived if and only */(|r]/i < |s]fl). 

Proof. It suffices to prove that the rules for the auxiliary predicate less^aux are 
sound and complete. The proposition then follows easily. 

It is quite simple to prove that the rules are sound — i.e. if less-aux(x, y, i) 
is derived, then (|a:]sjr < [yjstr + 0- We need to check the two rules defining the 
induction: 

less-auxix, y, i) (* + a) < (2j + b) 

LESS-BASE — LESS-IND 

less-aux{x,y,big) less-aux{a : x, b:y, j) 

The base rule is sound since every stream x represents a real number belonging 
to the interval [—1, 1]: then |x]str < 3 — 1 < big — 1 < |y]str + big- 
The induction rule is sound because from the hypotheses (|a:]str < [y]str+0 
(* + a) < {2j -\-b) follows that |a : x\str = o/2+ (|a^]str/2) < o/2 + (|y]str+0/2 = 

b/2T (|y]str/2) + (i + a — b)/2 <b/2+ (|y]str/2) + j = {{b '■ y\str + j)- 

The proof of the completeness is less obvious. We need first to choose a 
natural number k such that (big + 6 < 2*) and then prove, by induction on 
n, that if (|a:]str + 2*^" < |y]str + i) then the predicate less-aux{x,y, i) can 
be derived. In this hypothesis the completeness property follows immediately, 
since if (|a:]str < [yjstr + i) then there exists a natural number n such that 
([a^lstr + 2 " < + i)- 

- Base step (n = 0). Let x = (a : xq) and y = (b : yo)'- from the h}q)othesis follows 
that (i > 2'^ -2); therefore (big + a) < (2^^ - 6+ 1) < (2^^ + 2^^ - 4 - 1) < (2i + b). 
By the base rule we derive less-aux(xo,yo,big) and by the induction rule we 
have less-aux{a : xq, b : yo, i). 

- Inductive step. Let n = m + 1, x = (a : xq) and y = (b : yo). 

We need to provide a derivation for less-aux(a : xq, b : yo, i) in the hypothesis 
that (|a : xo]str + 2*^’^™+^) < |6 : yo\str + i)- From this h}q)othesis we have that 
(|xol«i. + 2'^-“) = (a+|xo]«i.+2'^-™-a) = ( 2(|a : + 2'^-(™+F) - a) < 

( 2(|6 : yo\str + 0 ~ = ([yojstr + 2* + 6 — a). By induction hypothesis it is then 

possible to derive less-aux(xo, yo, 2i + b — a) and finally, by the application of 
the induction hypothesis, we can conclude the proof. □ 
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We now consider the arithmetic predicates: it is interesting to notice that the 
proof technique adopted for these co-inductive predicates is dual with respect to 
that used for the inductive predicate of order. 

Proposition 2. (Adequacy of addition) 

The rules for the addition predicate are sound and complete. That is, for any 
triple of R-pairs r, s, t: Add{r, s, f) can he derived by an infinite derivation if and 
only %f (|r]/i + {sju = holds m M. 

Proof. In this case too it suffices to prove that the rule for the auxiliary predi- 
cate add-aux is sound and complete: the correspondent properties for the other 
predicates follow easily. It is interesting to remark that the proof we are giving for 
the co-inductive addition is almost dual with respect to the case of the inductive 
order. 

Using co-inductive reasoning, it is quite simple to prove that the rule is 
complete — i.e. if (|a:]str + [y]str = \z\str + i)^ then there exists an infini- 
tary proof for add-auxfx, y, z, i). We prove that under the h}q)othesis (|a:]str + 
[ylstr = Izjstr + 0 there exists a rule which permits to derive add_aux{x, y, z, i) 
using the judgement add-aux{x' ,y' , z' , i') , whose arguments satisfy (|a:']str + 
[ylstr = +*0- Therefore, using the co-inductive hypothesis, the predicate 

add-auxfx' , y' ,z' ,i') can be derived by means of an infinitary proof. 

Let X = {a : xq), y = (b : yo) and z = {c : zq). From the hypothesis (|a : 
a^ojstr + {b '■ yo\str = [c : zojstr + i), by a simple calculation we have both 
(-3 < * < 3) and (|xo]str + [yoLtr = I- 2 olstr + 2* + c-a-6). It is then possible to 
deduce add-aux{a : xq, b : yo, c : zq, i) from add-aux{xo, yo, zo,2i c — a — b): 
we can conclude carrying out an infinitary proof using the second equation de- 
duced above. 

To proof of the soundness is a little more subtle. We cannot simply prove that 
the rule for addjaux is sound, since by using co-inductively a rule that deduces 
valid conclusions from valid premises it is still possible to derive judgements 
which are not valid (for example, consider a rule for equality saying that from 
(x = y) it follows that (y = x), or the rule addjaux itself where the premise 
{—big < i < big) has been removed). In order to prove the soundness we need to 
use other arguments: after having chosen a natural number k such that (6*y+3 < 
2*), we will prove inductively on n that if add.auxfx, y, z, i) can be derived, then: 

KHstr + [yjstr) — + *)l < 2* " 

The soundness follows from the above inequality, since two real numbers ar- 
bitrarily close must be equal. The inductive proof proceeds as follows: first 
of all let X = {a : xo), y = (b : yo) and z = {c : zo); now, if the predi- 
cate add_aux{x, y, z, i) can be derived, it must be deduced via the co-induction 
rule. It follows that both the constraint {—big < i < big) and the predicate 
add-aux{xo, yo, ^o, 2i + c — a — b) can be derived. 

The base step (n=0) follows immediately from the h}q)othesis. 

In the case where n = m + 1 , we derive by inductive hypothesis the disequation 
|([a;o]str + [yolstr) “ (Nlstr + 2* + c - a - 6) | < Then, by means of a 

simple arithmetic calculation, we conclude the proof. □ 
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Proposition 3. (Adequacy of multiplication) 

The rules for the multiplication predicate are sound and complete. That is, for 
any triple of R-pairs r,s,t: Mult{r, s,t) can he derived by an infinite derivation 
if and only if (|r]_R • |s]_r = holds in IR. 

Proof. The proof works similarly to the case of addition. □ 

4 Equivalence and Arithmetic Functions 

In our framework any real number can be represented in infinitely many ways 
(an infinite choice of R-pairs denoting the same number is actually available): 
it is then natural to define an equivalence predicate on R-pairs. In constructive 
analysis it is possible to describe the equivalence relation on real numbers by 
means of the strict order relation. 

Definition 7. (Inductive equivalence) 

The inductive equivalence predicate Equalind Q {R x R) is defined as: 

Equalind{r, s) =def -'{Less{r,s) V Less{s,r)) 

The validity of the above definition motivates our choice of the strict order as a 
basic notion for constructive real numbers. 

It is interesting to notice that the equivalence relation on R-pairs could also 
be defined directly via a co-inductive predicate. Following this approach it is 
convenient to introduce firstly an auxiliary predicate equaEaux C (str x str x Z), 
which has intended meaning: 

equal -aux{x, y, i) (Hstr = [j/]str + i) 



Definitions. (Co-inductive equivalence) 

The predicate equaEaux C (str x str x Z) is defined by the co-inductive rule: 

equaEauxix, y, [2i-\-b — a)) (—big < i < big) 

EQUAL-COIND 

equaEaux(a : x, b : y, i) 

The equivalence predicate on streams equaEtr C (str x str) is defined as: 
equalstr(x,y) =def equaEaux (x,y,Q), 

The co-inductive equivalence predicate on R-pairs EquaEoind Q (RxR) is defined 
as: 

Equal coind({m, x), (n, y)) =def equal str ( 0 ■ ■ - ■ Q ■ 2 :, 0 : ■ ■ ■ : Q : y) 



n 



m 
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The above definitions are very similar to those given for the addition predicate: 
if we fix the first argument of the addition to a stream of “zeros”, we can ac- 
tually see the equivalence as a particular case of addition. It follows that the 
co-inductive predicate equal^aux can be justified by the same arguments used 
for add MUX. 

The main property about equivalence on R-pairs is that the inductive and 
the co-inductive definitions turn out to be equivalent. 

Theorem 1. (Inductive and co-inductive equivalence) 

Let r and s he R-pairs. Then: Equalind{r, s) if and only if Equal coind{‘r,s). 

Proof. The prove of the implication (=1>) is straightforward. We perform case 
analysis on the parameters r, s and then we argument by co-induction. 

The case (^) is simple too. It is proved by induction and case analysis. 

The propostion is proved formally in the Coq system: the full proof is available 
at the URL http://www.dimi. uniud.it/^ciaffagl. □ 

We claim that this correspondence between a co-inductive predicate and the 
negation of an inductive one is just an instance of a more general phenomenon. 
We conjecture that a large class of co-inductive predicates (but not all [Coq93]) 
— those defined using decidable predicates — are equivalent to negations of some 
inductive one. 

Another important purpose of this section is to define the addition and mul- 
tiplication functions. The addition for streams makes use of an auxiliary function 
+aux ■ {str X str X Z) — >■ str, whose intended meaning is: 

f ( Wfi + Mfi + i)/4 if (Hfl -b lyjfl -b t) G [-4, 4] 

l+aux{x, y, z)]k = < (-1) if (|a:]fl -b ly] ^ -b t) < -4 

[(+1) if (Wfl + yK + *) >4 

Using the previous definition we can give addition algorithms for streams and 

R-pairs. We want here just to remark that the result of the addition between 
streams must be normalized (divided) by a factor 2, since streams can represent 
only the real numbers in the limited interval [—1, 1]. 

Definition 9. (Addition function) 

The function -\-aux '■ {str x str x Z) — >■ str is defined by co-recursion: 

+aux(a : X, b: y, i) =def let j := (2i -b a -b b) in 

Case j of 

J ^ 2 : (1 : (-b aux{x^ y^i 4))) 
j G [-2,2] : (0 : {-\-aux{x,y,i))) 

J < -2 : {-I : {+aux{x,y,i-\- 4))) 

end 

The addition function on streams -\-str ■ {str x str) — >■ str is defined as: 

“b str{o. . Xj b . y) — def “b aux{x^ y, a -\- b) 
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The addition function on R-pairs +r : {R x R) ^ R is defined as: 

+R{{m,x),{n,y)) =def (m + n+1, +^tr( P : . ■ . : 0 : a:, 0 : . . . : 0 : y)) 

n m 

The multiplication function is defined in terms of the addition one. Also in 
this case it is convenient to use an auxiliary function Xaux ■ (str x str x str x 
[—2,2]) — >■ str, with intended meaning: 

|^a'ua;(3:, y, Z, — (d^lsir ^ Il/lstr) “t” “t” d/ ^ 

Definition 10. (Multiplication function) 

The function Xaux '■ {str x str x str x Z) — >■ str is defined by co-recursion: 

^ aux {a . X, y , c . z, i) — def let {d . w{ . — -t- str ( ^ d,str (a, y) , z') in 

let j := (2t + c + d) in 
Case j of 

j>2: {1 : {Xaux{x,y,w,j - 4:))) 
j G [-2,2] : (0 : {Xaux{x,y,w,j))) 
j < -2 : (-1 : (Xa«a;(a;,y,'u:, j + 4))) 

end 

The multiplication function on streams Xgtr ■ {str x str) — >■ str is defined as: 

^ str{^ ■ ai . X, h . y) — def let {c . i) . — str {^ d^str{(^ , y) 1 ^ d,str (^ 1 , b . y)) 

in Xaux {x, b:y, i, {c-\-ab)) 

The multiplication function on R-pairs Xr : {R x R) ^ R is defined as: 

XR{{m,x),{n,y)) =def (m + n, Xstr{x,y)) 

It is fundamental now to prove that the addition and multiplication functions 
are coherent w.r.t. the corresponding predicates. 

Theorem 2. (Arithmetic predicates and functions) 

The arithmetic predicates and functions are related by the following properties: 

Vr,s€R. Add{r, s,-\-R{r, s)) 

\/r,s,t€R. Add{r,s,t) <G> Equalind{+R{x, s),f) 

\/r,s€R. Mult{r,s,XR{r,s)) 

\/r,s,t€R. Mult{r,s,t) Equaknd{'x r{x, s),t) 

Proof. The proposition is proved formally in the Coq system. □ 

If we consider the arithmetic predicates as a kind of specification for the 
corresponding functions, then the previous proposition states that the imple- 
mentation we have given by algorithms satisfies the specification. It follows that 
we can derive the properties of the functions from the properties of the corre- 
sponding predicates: this is an advantage, because the specifications are easier 
to work with. 

A final remark: the above proposition can be seen as a case-study for the 
goal of proving the correctness of functions performing exact real number com- 
putation. 
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5 An Axiomatisation of Constructive Real Numbers 

In section 3 he have picked out and discussed two different approaches to justify 
our representation of the constructive real numbers. We start here addressing 
the internal-axiomatic one. 

In order to prove the adequacy of our structure we would need to dispose of a 
set of properties characterizing abstractly the constructive real numbers, i.e. a set 
of axioms. As far as we know, there exists no such a standard axiomatization: 
the only we know is that proposed by the working group of the FTA project 
[Fta99], whose aim is to formalize and prove in Coq the “Fundamental Theorem 
of Algebra” . Starting from the FTA’s axioms we have synthesized a simple and 
equivalent set of axioms. An advantage of having a small set of axioms is that 
it is easier to verify whether a given structure satisfies them. This process of 
minimalization has aided us to understand what are the fundamental notions 
cheracterizing the constructive real numbers. 

An advantage in presenting and using axioms consists in the re-usability of 
the proofs: if a certain property has been proved making use only of the axioms 
— and not considering the actual representation being studied — then we’ll be 
allowed to reuse the proof for any structure satisfying the same axioms. 

The axiomatisation we propose is the following — we have used below the 
customary functional symbolism for the arithmetic operations. 

Definition 11. (Axioms for constructive real numbers) 

Constants : R, {O/j, 1/j} € R 

< C Rx R 

-I- : Rx R^ R 
X : Rx R ^ R 

Definitions : ~ C Rx R Va;,y € R. 

(x-^y) ^ {^{x < y) A ^{y < x)) 

Near C R x R x R Vs, y,e G R. 

Near{x, y,e) {x < y + e) A {y < x + e) 

Order : neuter elements 0 < 1 

< is asymmetric Vs,y G R. (s < y) — >■ ~'{y < x) 

< is transitive Vs, y,z G R. {x < y) A {y < z) ^ {x < z) 

< is weak-total Vs, y,z G R. (s < j/) — >■ ((s < z) V (z < y)) 

Add : -I- is associative Vs, y,z G R. ((s y) z) ^ {x {y z)) 

-I- is commutative Vs, y G R. {x y) ^ {y x) 
has identity Vs G R. (s -I- O/j) ~ s 

opposite exists Vs G R. 3y G R. (s -I- y) ~ 0^ 

-I- preserves < Vs, y,z G R. (s < y) — >■ (s -I- z) < (y -I- z) 

-I- reflects < Vs, y G R. 0/j < (s -I- y) — >■ ((0/j < s) 

V(0k < y)) 
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Mult : 



X is associative 
X is commutative 
X has identity 
inverse exists 
X distributes + 

X preserves < 

X reflects < 



Vx, y,z G R. ((x X y) X z) ^ (x X (y X z)) 

Vx, y G R. {x X y) ^ {y X x) 

Vx G R. {x X Ifl) ~ X 

Vx G R. -i(x ~ Oi?) ^3y gR. (x x y) ^ 

Vx, y,z G R. 

(x X (y + z)) ~ (x X j/) + (x X z) 

Vx, y G R. (0_R < x) A (Ofl < y) -)■ (On < (x x y)) 
Vx, y G R. 

{x X y <Ir) ^ ((x < lij) V (y < !«)) 



Limit : limit exists Vf : N ^ IR. 

(Ve > 0. 3n. Vm > n. Near{f{n),f{m),e)) — >■ 
(3x G R. Ve > 0. 3n. Vm > n. Near{x, f{m),e)) 



It is natural now to raise the fundamental question whether this axiomatisa- 
tion is complete. In particular, one could require that all the properties provable 
starting from our representation of real numbers can also be proved using only 
the above axioms — we don’t know yet whether our axioms satisfy this com- 
pleteness requirement. A weaker and informal request consists in asking that 
using the above axioms it is possible to derive the standard and fundamental 
properties of the real numbers: we will discuss this and related aspects in section 



A final remark concerns the arithmetic functions “opposite” (Ax. — x) and 
“inverse” (Ax.l/x): we don’t need to require explicitly their existence, provided 
that — in the statement of the correspondent axioms — we use the existential 
quantification over Set rather than Prop. This assumption actually makes the 
Axiom of Choice provable in Coq. 



6 Formalization in Coq 

We have already motivated the use of the logical framework Coq to investigate 
the internal-axiomatic adequacy of our constructive real numbers. We remember 
here that the logic of Coq is standardly intuitionistic. 

The formalization of the structure we have developed is simple: we need only 
to translate our definitions in the specification language of Coq. The first step 
consists in the encoding of the datatypes (digits, streams and R-pairs). 

Inductive digit : Set:= mine: digit I zero: digit I one: digit. 
Coinductive str : Set:= cons: digit -> str -> str. 

Inductive R:Set:= pair:nat -> str -> R. 

The specification of the other constants of the structure is analogous. Two tech- 
nical details: we use the function encod to map the symbolic names of the ter- 
nary digits to their integer values and the function appendO to “normalize” the 
streams. We list below these two definitions and some other example of our 
formalization. 
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Definition encod : digit -> Z := 

[a:digit] Cases a of mino =>‘-l‘| zero => ‘O' I one => ‘1‘ 
end. 

Fixpoint appendO [n:nat] : str -> str := 

Cases n of (0) => [x;str] x 

I (S m) => [x;str] (cons zero (appendO m x)) 

end. 

Inductive less_aux : str -> str -> Z -> Prop := 
less_base: (x,y:str) (less_aux x y big) 

I less_ind : (x,y:str) (a,b:digit) (i,j;Z) 

(less_aux x y i) -> 

(‘i + (encod a) <= 2*j + (encod b) ‘ ) -> 

(less_aux (cons a x) (cons by) j). 

Definition less_str : str -> str -> Prop ;= 

[x,y:str] (less_aux x y ‘0‘). 

Definition Less : R -> R -> Prop := 

[r,s:R] Cases r of (pair m x) => Cases s of (pair n y) => 
(less_str (appendO n x) (appendO my)) 
end end. 

Coinductive add_aux : str -> str -> str -> Z -> Prop := 
add_coind: (x,y,z;str) (a,b, c : digit) (i:Z) 

(add_aux x y z ‘2*i )+(cod c)-(cod a) -(cod b‘) -> 
(‘-big <= i‘) -> (‘i <= big') -> 

(add_aux (cons a x) (cons b y) (cons c z) i) . 

CoFixpoint times_d_str : digit -> str -> str := 

[a: digit] [x : str] Cases x of (cons b y) => 

(cons (times_digit a b) (times_d_str ay)) 
end. 

Coinductive mult_tstr ; str -> str -> str -> Prop := 
muIt_coind : (x,y,z,w:str) (a:digit) 

(mult_tstr X y w) -> 

(add_tstr (cons zero (times_d_str ay)) (cons zero w)z)-> 
(mult_tstr (cons ax) y z) . 

It comes natural now to focus briefly on (co-)inductive types and their inha- 
bitants. In Coq, recursive types [Gim98a] can be classified into inductive [Coq92, 
PM93] and co-inductive ones [Gim94]: both of them are described by introduc- 
tion rules. Elements of the inductive types are constructed by means of a finite 
application of the introduction rules, whereas co-inductive ones can be obtained 
also by a potentially infinite use of the rules. 

The user is allowed to construct (lazily) specific infinite objects using co- 
recursive definitions in the form of “fixed-point” declarations, provided the re- 
cursive calls are “guarded” [Goq93,Gim94,AG97,Gim98b]. An example is the 
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infinite stream of “zeros”, which can be obtained by the definition CoFixpoint 
zeros : str ;= (cons zero zeros) . A dual situation holds for inductive ob- 
jects: in this case recursive definitions can be used as elimination rules performing 
structural induction. The Coq code listed above shows the two cases just dis- 
cussed: the function times_d_str builds infinite streams; the function appendO 
is defined by induction on a natural parameter. 

7 Certification of the Constructive Real Numbers 

The aim of this section is to present and discuss the main result of our work. 
Theorem 3. (Constructive real numbers) 

Our representation of real numbers satisfies the axioms of definition 11. 

So far we have not dealt with all the axioms: the properties concerning the 
order and the addition have been already proved in Coq; the proofs of the 
other properties are at the moment in progress, but we are optimistic to con- 
clude them in the immediate future. The whole code is available at the URL 
http://www.dimi.uniud.it/^ciaffagl. 

We want to supply here some remarks about the proof technique used. 

Most of the proofs follow a similar pattern: first we prove a lemma for the 
auxiliary predicate, then a lemma for the predicate defined on streams and finally 
a main proposition for the R-pairs. As already explained, we have preferred to 
develop the proofs for addition and multiplication using the predicates rather 
than the functions. Nevertheless, by the validity of the theorem 2, it is possible to 
extend the proofs involving the predicates, thus obtaining those of the properties 
involving the corresponding functions. 

Normally, the main difficulty is to prove the lemma at the “aux” level. In 
order to exemplify the whole process, let us consider the “associativity of addi- 
tion” . In this case we need to prove the following hierarchy of judgements: 

add-ussocaux '■ 'dx,y, z,w,u,v G str, Vi, j, k € Z. 

addaux{x,y,w,i) addaux{w, z,u, j) 

addauxiy, z, vfii + j - k') addaux(x, v, u, k) 

add-ussocstr '■ Vx, y, z, w,u,v € str. 

addstr{x,y,w) addstriw, z,u) addstfiv, z,v) 
addstr{x, V, u) 

add-assocR : \/r, s,tfi,p, q € R. 

Add{r, s,l) ^ Add{l, t, p) — >• Add{s, t, q) — >■ 

Add{r,q,p) 

addmssoc : Vr, s,t G R. Equiv{{x + y) + z, x + {y + z)) 

Further details concern the two tactics we have mainly used: Cofix and 
Omega. The tactic Cofix is specific for co-inductive reasoning: it is the main 
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tool for proving co-inductive assertions. This tactic allows to develop top-down 
(infinitary) proofs assuming the conclusion as a premisse, provided it is later 
used only within introduction rules. The tactic Omega automaticly proves all the 
judgements expressed in the language of Presburger’s arithmetic: it has been very 
useful to avoid repeated case analyses on the values of the ternary digits. The 
use of this tactic and the introduction of the auxiliary predicates have permitted 
us to write quite simple proofs: almost all the propositions are proved invoking 
at most 50 strategies. 

8 Consequences of the Axioms 

In order the axiomatisation of definition 11 can be considered (sufficiently) com- 
plete, most of the properties of the real numbers should follow from it. 

A first step is to consider the axioms proposed by the FTA working group 
[Fta99]. We conjecture that all the properties presented there can be deduced 
using our axioms: we have proved formally this fact for all the axioms concerning 
the order relation and addition; we are confident that the others can be proved 
too. 

Moreover, it is interesting to compare our axioms with the basic properties 
of the constructive reals presented by Troelstra and van Dalen [TvD88]. In that 
work, real numbers are constructed as Cauchy sequences of rationals; the for- 
mal properties of this construction are then studied in depth. So far, we have 
investigated the properties concerning the order relation and addition. We have 
proved informally that they follow from our axioms and we are at the moment 
formalizing those proofs. At present, we have proved the following facts, among 
other more technical. 

— The relations “equal” (~), “less-equal” (<) and “apart” (#) can be defined 
in terms of our “less” (<) relation. 

— The relation “~” is an equivalence. The relation “<” is an order. 

— The addition operation (-I-) preserves the order relation. 

— The real numbers, equipped with the relation and the operation “-I-”, 
form a group. 

As the reader can see, for some aspects this is still a work in progress. In the 
future we will going to conclude our basic formulation of analysis and then to de- 
velop it. We are also interested in the use of our framework for testing the correc- 
tness of algorithms performing exact computation on real numbers. This and fur- 
ther work will be documented at the URL http://www.dimi.uniud.it/~ciaffagl. 
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Abstract. We propose a method to search for a lemma in a Coq proof 
library by using the lemma type as a key. The method is based on the 
concept of type isomorphism developed within the functional program- 
ming framework. We introduce a theory which is a generalization of the 
axiomatization for the simply typed A-calculus (associated with Closed 
Cartesian Categories) to an Extended Calculus of Constructions with 
a more Extensional conversion rule. We show a soundness theorem for 
this theory but we notice that it is not contextual and requires ”ad hoc” 
contextual rules. Thus, we see how we must adapt this theory for Coq 
and we define an approximation of the contextual part of this theory, 
which is implemented in a decision procedure. 



1 Introduction 

The problem of easily finding software components in a library is fundamental. 
It is connected to code reusability. Indeed, a reusable code is one which is not 
only sufficiently generic but one which can also be found quickly when needed^ . 
This second component is often neglected because it is considered, wrongly, not 
to be very theoretical. Consequently, most current search tools are nothing more 
than identifiers indexes in which we hope systematically that the name given to 
the required function is sufficiently explicit for it to be found quickly. If you are 
the single author of the library you scan, the speed of your search depends only 
on your own memory, but if you are a co-author or not an author at all then 
the task may be very tedious. Thus and in a general way, we waste time in this 
approximate search which, if it fails, obliges the user to write code which may 
already exist. A typical example is that of the CamI function list_it^ which, 
as shown in table 1, has four different names in other ML versions. 

As can be seen, an identifier is totally insufficient to allow a powerful se- 
arch. The idea is thus to take the type as a search pattern and to carry out 

* David.Delahaye@inria.fr, http://coq.inria.fr/~delahaye/. 

** INRIA-Rocquencourt, domaine de Vofuceau, B.P. 105, 78153 Le Chesnay Cedex, 
France. 

^ In this regard, A. Mili, R. Mili and R. T. Mittermeir give a broad survey of soft- 
ware storage and retrieval methods in [15], where ’’software” is not necessarily only 
execntable code. 

^ This is an abbreviated version of an example originally due to Mikael Rittri in [16]. 
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Table 1. The list_it in Caml. 



Language 


Name 


Type 


LCF ML ([8]) 

Caml ([12]) 

Haskell ([9]) 

SML of New Jersey ([3]) 
Edinburgh SML ([5]) 


itlist 
list -it 
foldr 
fold 

fold_right 


Va/3.(o; P ^ /3) ^ List{a) P ^ P 
yap.{a P ^ P) ^ List(a) P ^ P 
Va/3.(o P ^ P) ^ P ^ List{a) P 
\/ap.{a X P ^ P) ^ List{a) P ^ P 
\/ap.{a X P ^ P) ^ P ^ Listia) P 



comparisons modulo a certain equivalence. Then, the following question arises: 
when are two types equivalent? There is no standard answer to this question. 
It depends on what we want to identify. A first naive choice could be to take 
syntactic equality. But this option is too restrictive as shown again by the ex- 
ample of list_it in Caml (see table 1) which has four distinct types in the 
various ML. So, the equivalence must be broader. Some work by Mikael Rittri 
([16]) highlighted that the most favourable concept for search in libraries is that 
of isomorphic types. This concept, formalized and studied for many years by 
Roberto Di Cosmo, Giuseppe Longo, Kim Bruce and Sergei Soloviev (see, for 
example, [17], [6] and [7]), was implemented in a tool called CamISearch, develo- 
ped by Jerome Vouillon and Julien Jalon ([18]) at the LIENS in 1994. CamISearch 
extends the theory used by Mikael Rittri (typically the seven axioms for Clo- 
sed Cartesian Categories) to polymorphism and deals with unification. Another 
study by Maria-Virginia Aponte, Roberto Di Cosmo and Catherine Dubois ([1], 
[2]) tries to include the modules of Objective Caml ([13]). The objective of this 
work is to make such a tool for Coq^ ([4]). 

First of all, we present the problem framework. Next, we see the basic con- 
cepts relating to type isomorphisms in order to build, thereafter, a theory in a 
type theory with extensional rules. From there, we adapt this theory to Coq and 
we define a decision procedure. Finally, we discuss our implementation and we 
provide some examples which give an idea about its use and its performances. 

2 Framework 

2.1 Extensions 

The idea is to extend the theories built for programming languages to type 
theory. We do not aim to capture all type categories but only those which may 
be useful. So, it is not only a practical approach in the field of logic but also a 
theoretical study. 

An initial and easy extension is to have free polymorphism. Indeed, 
CamISearch can only deal with an ML-polymorphism (quantifiers on type varia- 
bles appear only in the head to make type inference decidable). This restriction 

® From another perspective, Thomas Kolbe and Christoph Walther propose, in [10] 
and [11], to generalize computed proofs to produce schemes (for proofs and lemmas) 
which can match new lemmas and so can be reused. 
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has to be lifted and, for example, if we look for a Godel recursor for type T, we 
expect that the two following types can be identified: 

T — >■ (nat T ^ T) ^ not — >■ T 

nat — >■ T — >■ {nat T ^ T) ^ T 

Next, it is quite natural to deal with dependent types although it makes 
the problem be much more difficult for reasons which will become clear. In this 
task, we must be careful with variable renamings and especially with variable 
bindings. A typical example with dependent types could be the following lemma 
on integers: 

Vn, m,p,q : Z.n < m ^ p < q ^ {n + p) < {m + q) 

The user may want to move the variables p and q to the right of the subterm 
n < m (because they do not occur) and so, he/she can give the following type 
to hit the previous lemma: 

Vn, m : Z.n < to — >■ Vp, q : Z.p <(?—>■ (n + p) < (to + q) 

In addition to dependent products, we may want to capture dependent tu- 
ples. Usual existential quantifiers are concerned but, in a theory with primitive 
inductive types, we can define other existential quantifiers, which are inductive 
types with one constructor and without a recursive position. For example, we 
can specify the Euclidean division using the following inductive type: 

type diveucl (a, b : nat) = 

divex : \/q, r : nat.b >r^a={q*b) + r 

Where divex is the single constructor of diveucl. Then, the theorem is ex- 
pressed as follows: 

V6 : nat.b > 0 — >■ Va : nat.{diveucl a b) 

Here, diveucl plays the role of a customized existential quantifier, and the 
user, who does not know the existence of diveucl, certainly expects to find the 
theorem by using the usual existential quantifiers to express his/her type, which 
may be: 

Va, b : nat.b > 0 — >■ 3q, r : nat. {a = {q * b) + r) A {b > r) 



2.2 Limitations 

In the present work, there are some features we do not want to deal with and 
this leads to limitations which we must identify. 

First of all, the user has to know the vocabulary or a part of the vocabulary 
used for the semantical notions he/she wants to look for. For example, if he/she 
wants to search for theorems on natural numbers, he/she has to know that the 
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keyword for natural numbers is nat and not N or natural; likewise, he/she has to 
be careful with the operators on natural numbers like the addition which is plus 
and not plus_nat or nat_plus. So, some queries may be difficult without an 
oracle which gives signs to the user to express correctly his/her formulae. This 
task could be made easier with a vocabulary system (like in Mizar) extracted 
from each module (typically a file in Coq) and combined with a command which 
gives the list of the modules. 

We want to avoid constant expansion. The reason is that we want to keep 
an acceptable level of complexity. We must not forget that this procedure may 
be applied to large developments (industrial or mathematical) where complexity 
must be contained. 

For the same reason, we dismiss the possibility of congruences. However, we 
agree that unpleasant surprises may occur without this option. There are many 
examples which show that congruences are important but we can choose a case 
where equality occurs e.g. the associativity of real numbers: 

Vrl, r2, r3 : R.{rl + r2) + r3 = rl + (r2 + r3) 

Without symmetry on equality, if the user inverts the two members of the 
equality in his/her search then he/she will not find anything. Equality is not 
the only operator we may want to deal with, structure operators like addition 
or propositional operators like conjunction are included within this context. 

We do not want to deal with pattern-matching here. That must be the result 
of another study. From this possibility, we may expect that, in the context where 
A, B, C and D are propositional variables, the type H — >■ 17 — >■ D where 17 is a 
metavariable can capture the following types: 

B AC ^ D 
A^ B ^ C ^ D 
A^ C ^ B ^ D 

In a general way, parts of lemmas could be forgotten or hidden and this 
facility would certainly be used very often. 

Finally, we do not want to capture general inductive types. Just as for 
pattern-matching, we consider that it must be the subject of another study, 
which can only be an abstraction with respect to the constructor names or so- 
mething more semantic. 

3 Isomorphisms of Types 

This section gives the basic definitions and concepts, mostly formalized in [7]. 
From these notions, it is possible to build a theory (axiomatization) which cha- 
racterizes a certain class of isomorphisms for a given language. 

In a natural way, we can say that two types are isomorphic if there exist two 
functions of conversion, which are definable in the reference language and which 
allow us to pass from one type to the other one and vice versa. More precisely, 
we have the following definition: 
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Definition 1 (Definable isomorphisms, invertible terms). Two types A 
and B are definably isomorphic (A =4 B) if and only if there exist the functions 
(X-terms) M : A ^ B and N : B ^ A such that M o N =£ Xx : B.x and 
N o M =c Xx : A.x where =c is an equality over the terms. The terms M and 
N are said to be invertible. 

This definition is parametrized by the choice of =c which depends on the 
isomorphisms we want to deal with. In general, =£ contains / 3 ? 7 -convertibility, 
projections, surjective-pairing and void substitution for terms in unit (terminal 
object). 

Beyond this syntactic concept of type isomorphisms, we can obtain a more 
semantic view by considering the models of the language. Thus, two types are 
isomorphic in a specific model M if their interpretations are isomorphic in At, in 
the traditional sense (i.e., there exist, in the model, two invertible functions f and 
g between them). Two types are semantically isomorphic if they are isomorphic 
for every model of the calculus. 

There are many languages where the two notions of isomorphisms correspond. 
[7] gives some examples like the simply typed A-calculus, the system F or the 
simply typed A-calculus with Cartesian product and/or unit. 

4 Formalism and Theory 

In the above, the definitional equality =c is essentially /3-conversion extended 
by more extentional simplifications like 77 -conversion or surjective pairing. Up to 
now, the main reason for considering these additional reductions was to make the 
theory complete, that is to have the syntactical and semantical notions coincide. 
In the case of calculi with dependent types, the situation changes. Namely, these 
generalized vy-reductions become necessary not only for a matter of completeness, 
but also, more drastically, to be able to build up a theory compatible with the 
typing. 

In this section, we will point out two difficulties due to the presence of de- 
pendent types: 

1. In order to define the syntactic notion of isomorphism, we will have to ex- 
plicitly keep track of the conversion function. For instance, given two types 
A and B and the corresponding functions a \ A ^ B and t : B ^ A, 
it makes no sense to consider an isomorphism between IIx : A.C and 
Tlx : B.C] there is no reason for having both these two types well formed 
at the same time. However, we can exhibit functions between IIx : A.C and 
IIx : B.C[x -It- (t a;)]. 

2. Furthermore, in the general case, the condition that a and t commute ap- 
pears also to be necessary in order to build well typed equations. 

Thus, this section is devoted to the presentation of a generalization of the 
definition of type isomorphisms for an Extended Calculus of Constructions with 
a more Extensional conversion rule (ECCE for short). 
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4.1 Definition of ECCE 

ECCE is an extension of the Calculus of Constructions with predicative universes, 
if-types, unit and extensionality rules. The terms of ECCE can be inductively 
defined as the smallest set verifying the following clauses: 

— Prop and Typci with i G IN are terms; 

— Variables are terms; 

— unit and () are terms; 

— If A, B, M and N are terms then Ux : A.B, Sx : A.B, Xx : A.M, 
{M,N)s^,a.b, (tti M), {tt 2 M) and M N are terms. 

Terms are identified modulo a-conversion. We also denote Bx : A.B and 
Sx : A.B, respectively A ^ B and A x B when x ^ B. Reduction (— >■ ) and 
conversion (~ ) are defined as usual from the following one-step rules: 

{Xx : A.M) N iM[x ^ N] {(3) 

Xx : A.M x — >■ \M if x ^ M ( 77 ) 

(tt, {M,,M2)s.-.a.b) ^ iM, {i = 1,2) (P) 

((^1 M), (7T2 M))e,,a.b ^ iM {SP) 

M — >• i() if P h M : unit {U) 

Prop and Typci are called universes and there exists an inclusion between 
them. This type inclusion induces a type cumulativity characterized by the par- 
tial order < over the terms, which is the smallest relation such that: 



— Prop Si Typeo S Typei S ■■■', 

— if As A' and B S B' then 

Bx : A.B S Bx : A' .B' and Sx : A.B S XJx : A'.B' . 

Typing contexts are lists of expressions of the form x : A where a: is a variable 
and is a term. The empty context is the empty list noted []. A judgement is 
either P is well formed or P h t : T where P is a context and, t and T are terms. 
FV{P), where P is a context of the form [xq : Aq, ...; xp, Ap, ...; Xn : A„], denotes 
the union of Xi and FV{Ai). 

The inference rules of ECCE are given in appendix A. The term M is well 
typed under P if and only if P h M : A is derivable for an A. 

ECCE can be seen as an extension of the Extended Calculus of Constructions 
(ECC) [14] with unit and extensionality rules. 
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4.2 Equations 

Now, we can give equations over the terms of ECCE which are considered to 
be valid isomorphisms of ECCE. These equations deal with properties about 
function types, if-types and unit, which we used to handle, in a non-dependent 
way, in functional programming. If A, B and C are terms then the equations are 
the following: 

1. A = B ii A:^ B 

2. Sx : A.B = Ex : B.A ii x ^ FV{A, B) 

3. Sx : {Ey : A.B).C = Ex : A.Sy : B[y ^ x\.C[x (x,y)] 

4. IIx : {Ey : A.B).C = Ux : A. By : B[y ^ x].C[x ^ {x,y)] 

5. Bx : A.Ey : B.C = Ey : {Bx : A.B).Bx : A.C[y ^ {y x)] 

6. Ex : A.unit = A 

7. Ex : unit. A = A[x ^ ()] 

8. Bx : A.unit = unit 

9. Bx : unit. A = A[x ^ ()] 

This system is called We consider only well typed types, that is to 

say, for B, ii A = B \s an instance of an equation of then B \- A: s and 

B \- B ■. s, where s & S with S, the set of the universes. 

If we exclude the axioms 1 (conversion) and 7 (() substitution when the witn- 
ess of a 27- type is of type unit), and if we ignore dependencies, we can recognize 
the seven axioms that Sergei Soloviev proved complete for Closed Cartesian 
Categories [17]. 

4.3 Theory 

With dependencies, we guess that the theory built on Ax^'-'-^ cannot be con- 
textual, i.e. if we consider the terms T, A and B where is a subterm of T 
and where A = B, then we do not always have T = T' where T' is the term T 
for which B is substituted for some occurrences of A. Indeed, in Ax^'^'^e, for B, 
if the left member is well typed (under B) then the right member will be too. 
This property is not valid for the contextual closure, i.e. the relation including 
the axioms of Ax^^^^ and which, given the terms T, T' , A, B, contains couples 
(T, T') such that A = B, A\s & subterm of T and T' is the term T where B is 
substituted for some occurrences of A. To show why, let us define the notion of 
term context: 

— terms are contexts; 

— [] is a context; 

— If A, B, M and N are contexts then Bx : A.B, Ex : A.B, Xx : A.M, 

{M,N)sx-.a.b, (tti M), {tt 2 M) and M N are contexts. 

If C is a context and A a term, C [A] denotes the term C where A is subsituted 
for []. A is called the argument of C. 

Now, let us consider the following context: 
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C = nf ■.[].nc:{Sy:A.B).{f c) 

With C and the terms A, B and C, and if we suppose that, for B, 

r \- A : Typci, B,y : A \- B : Typci and B,x : {By : A.B) h C : Typci 

are derivable then we can build the term C[IIx : {Sy : A.B).C] which is well 

typed (under B). Using axiom 4 (curryfication) of on the argument of C, 

we notice that the resulting term is not well typed (under B). 

To preserve typing, we have to modify C as follows: 

C = nf ■.[].nc:{Ey.A.B).{f {y c) {tt^ c)) 

With C', the following equation is valid (deduced by and well typed: 

C[B[x : {Sy : A.B).C] = C'[B[x : A.BIy : B[y ^ x].C[x (a;,t/)]] 

C has been modified in the following way: 

C'= nf : W-Uc : {Sy : A.B).{f (tti c) {tt2 c)) 

= nf ■.[].nc:{Sy:A.B). 

(((A/ : {BIx : A.IIy : B[y ^ x].C[x ^ {x, y)]).Aa; : {Sy : A.B). 
f (tti x) {tt2 x)) f) c) 

= nf ■.[].nc-.{Sy.A.B).{{r f) c) 

Where r is the invertible term from the right-hand term to the left-hand one 
of axiom 4 of Ax^^*-^. 

This example gives us several indications. Some contexts cannot be crossed 
without modifications and these modifications involve invertible terms. Thus, 

to build the theory over Ax^*-^^, which will be called Th^'-'-^, we have to 
justify syntactically the axioms of Ax^'-'-^, that is to say, to give the associated 
invertible terms, and we have to define dedicated contextual inference rules to 
make the equations applicable to the contexts. 

We use the following notation: 



A = B 

(0 

Where, for B, B \- a : A ^ B and B \- t : B ^ A. We also note this equation 
as follows: a : A = B : t. 

For instance, axiom 4 of Ax^'-'-^ will be completed as follows: 

IIx : {Sy : A.B).C = IIx : A.BIy : B[y ^ x].C[x ^ {x, y)] . eccen 

f \f : (Ux : (Sy : A.B).C).Xx : A.Xy : B[y x].f (x,y) \ \ * ^ UCur ) 

V Xf : (Bx : A. By : B[y ^ x].C[x -s- (x, y)]).Bx : (By : A.B).f (tti x) (773 x) ) 

And, to cross 77-expressions to the left, we have: 

A = A' 

(0 

nx : A.B = nx : A' .B[x ^ (r x)] .-p, eccex 

/ Xf : (Bx : A.B).Xx : A' .f (t x) ^ ^ ^IlL ) 

\ Xf : (Bx : A\B[x •«— (t a:)]).Aa: : A.f (cr x) J 
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The other axioms and inference rules of are given in appendix B. 

For A, B, a and t, four terms, the equation a : A = B : t is valid, which is 
noted r \- a : A = B : T if and only if B \- A : s, B \- B : s, with s G S, and 
(7 : A = B : T is derivable. For two terms A and B, an equation A = B is valid, 
which is noted B \- A = B,A there exist cr and r such that B \- a : A = B : t. 

Regarding the deduction rules, we have to notice that there is no rule for 
contexts which are A-expressions, pairs or applications because these contexts 
cannot be crossed. 

4.4 Soundness 

The soundness theorem of is expressed as follows: 

Theorem 1 (Soundness). If B \- a : A = B : t then B \- a : A ^ B, 
B \- T : B ^ A, (totcsAx: B.x and t o cr ~ Acc : A.x. 

Proof. By induction on the derivation of B \- a : A = B : t. 

5 Adaptation to Coq 

5.1 Restriction 

To use Th^^^^ in Coq, a natural way consists of getting rid of the extensional 
rules in reduction and conversion. Indeed, if we leave to one side (5-reduction 
(expansion of constants in an environment) and c-reduction (reduction for pri- 
mitive inductive types), Coq is only concerned by /3-reduction. Also, we have to 
adapt the soundness theorem by substituting conversion with extensional rules 
for conversion (in this case, we use isomorphisms proved outside the formalism). 

This restriction is not strong enough to ensure the soundness theorem. For 
example, let us consider the rule Thyj|_ . We suppose we have B such that 
B G a : A = A' : T and such that IIx : A.B and IIx : A' ,B[x G- (r x)] are 
of type s with s G S. The second invertible term of the conclusion is of type 
IIx : A' .B[x G- (r x)] — >■ IIx : A.B[x G- (r (cr x))] and the term (r (cr x)) 
cannot always be reduced to x due to the absence of extensional rules. So, some 
invertible terms are not of the expected type and this invalidates the soundness 
theorem. 

The problem is that invertible terms can appear in types. One solution is to 
prevent such occurences, that is to say, to take out the rules Thyj|_ and Thj;|_ 
except for which creates reductible redexes. 

So, this means that, to implement in Coq, we must consider a subset 

of this theory with a conversion rule based only on /3-reduction and with a 
restriction on the use of rules which introduce invertible terms in types. 

5.2 J7-Types and Unit 

In Coq, we consider A-types as inductive types with one constructor without a 
recursive position and without any constraint on their parameters, unit is any 
inductive type with one empty constructor. 
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5.3 A Decision Procedure 

To implement for Coq, we extract a rewriting system, called from 

the theory‘s. The rules of are given in appendix C. 

An immediate consequence of the previous restriction is that is not 

confluent. For example, if A and B are terms, the following critical pair cannot 
be reduced: 



Ux : unit.Ey : A.B 



i'^nunl) ^ 
{Sy : A.B)[x ^ tt] 



Sy.A[x -ir- tt].B[x -ir- tt] 



\ (T^nZs) 

Sy : {Bx : unit.A).IIx : unit.B[y {y x)] 
i (T^nu\i) + 

Sy : {Bx : unit.A).B[y ^ {y x)\[x ^ tt] 



Sy : {Bx : unit.A).B(y ^ {y ti)] 

Thus, to have canonical normal form, we defined a reduction strategy called 
ST'Rp°'^ and based on BP°^. This strategy respects the following partial order: 



'j^Coci \ \ "TP^^Q 

''^sAss ''^scur 'He/* ''^nois 



This means that the rules 'Rf^°2gg and must be used equally before 

the rules which in turn must be used equally before the rule 

We can show that S'T'Rp°'^ is confluent and strongly normalizable. Due to 
the restriction, the normal forms are a little complicated and of the following 
form: 



S-^ : ~t.T 

Where there is no /3-redex in {]^, T} and: 

~ Xi is such that: B^ : ^i.S^ : ^.{7i with yl = it = it, 

yt = if ^ Ui ^ unit and where there is no S at the root of Ui] 

— T is as follows: T = Blf : \f .W where there is no S at the root of Vi, W 
and where Vi yf unit, W yf unit. 

Now, we can give the definition of the decision procedure: 

Definition 2 (Decision procedure). We call Dec^°'^ the decision procedure 
which, for two types, -normalizes them, then compares them modulo 

permutation of the S-components. 

We have some usual and expected properties: 

This mainly consists in orienting some rules of 



4 



and ignoring the others. 
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Theorem 2 (Soundness and termination). Dec‘^°'^ is sound for and 

Dec‘^°'^ terminates. 

Proof. The proof is quite trivial. The normalization uses the rules of S'TTiP°'^, 
that is to say, rules of which are extracted from The comparison 

uses an axiom which can be deduced from For the termination, we 

know that S'TTiF°'^ is strongly normalizable and that permutations on a finite 
sequence are finite. 

Of course, is not complete for because we do not allow some 

rules to use ’’left-contextual” rules. However, Dec^°'^ is a little more than the 
contextual part of because /3-reduction can occur everywhere. 

6 Implementation and Examples 

The implementation we carried out for Coq is called Search Isos®. In fact, there 
are two tools: one inside the toplevel of Coq, which scans the current context, and 
another standalone tool, called Coq_Searchlsos, which scans the whole standard 
library of Coq. 

In general, we suppose that users would use Search Isos for tiny and trivial 
examples. Indeed, most of the time, users are interested in finding lemmas mo- 
dulo a-conversion and permutation in iT-expressions. For instance, we may have 
such requests such as the following®: 

Coq_SearchIsos < Time Searchlsos (A:Prop)A\/~A. 

#Classical_Prop# — * [classic : (P:Prop)P\/~P] 

Finished transaction in 1 secs (0.6u,0s) 

Coq_SearchIsos < Time Searchlsos (b :bool)b=f alse->b=true->False . 
#Bool# — * [eq_true_f alse_abs : (b:bool)b=true->b=false->False] 
Finished transaction in 1 secs (0.716666666667u,0s) 

As expected, possibilities about A-types are quite powerful. For example, we 
can hide the Archimedian axiom of the real numbers in an inductive type and, 
to find it again, we can use usual existential quantifiers, which are much more 
natural: 

Coq < Require Reals . 

Coq < Inductive Tarchi [r:R]:Set:= 

Coq < CTarchi : (n:nat) (gt n 0)->(Rgt (INR n) r)->(Tarchi r) . 

Tarchi_ind is defined 

Tarchi_rec is defined 

Tarchi_rect is defined 

Tarchi is defined 

® See [4] for documentation. 

® For all these tests, we used a PWS 500 Digital-Alpha station with bytecode. 
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Coq < Axiom archi: (r:R) (Tarchi r) . 
archi is assumed 

Coq < Time Searchlsos (r :R){n:nat I (gt n D)/\(Rgt (INR n) r)}. 

# — * [archi : (r:R) (Tarchi r)] 

Finished transaction in 0 secs (0 . 266666666667u, Os) 

As concerns unit, we must not forget that it includes all the inductive types 
with one empty constructor. So, the following result is not surprising: 

Coq_SearchIsos < Time Searchlsos unit. 

#Datatypes#<unit>#tt :unit 
#Logic#<True>#I :True 
#Logic_Type#<UnitT>#IT : UnitT 

Finished transaction in 0 secs (0 . 516666666667u, Os) 

In fact, we think that users are also very interested in congruences and the 
use of metavariables. We have not yet implemented these possibilities but we 
plan to do so soon. 

7 Conclusion 

7.1 Summary 

In this work, we have achieved three goals: 

— we have developed a theory with ”ad hoc” contextual rules, which is 

sound for ECCE; 

— we have made contextual restrictions on to build a decision procedure 

Dec^°* which is sound for and which is an approximation of the 

contextual part of 

— we have implemented Dec^°'^ in a tool called Searchlsos. 

7.2 Future Work 

Several aspects remain to be explored: 

— subsitution to the left of an anonymous binder (when 77 is a — >■ ): this 
weakens the restrictions on the contextual rules and we capture types users 
may expect to capture; 

— introduction of congruences: this possiblity seems to have priority. Indeed, 
for example, Searchlsos must deal with symmetry or associativity of some 
operators; 

— pattern-matching: just like congruences, this must be implemented quite 
quickly. Searchlsos could then subsume the current command Search which 
uses a basic pattern-matching to find all the lemmas with a certain identifier 
as head-constant in their conclusion; 
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— inductive types: as we saw previously, this can only be a kind of a-conversion 
with respect to constructor names or an identification which is more semantic 
(but difficult to decide). 

This kind of tool could also be useful for automated theorem proving, where 
the search of a given lemma would be done modulo type isomorphisms. In this 
perspective, invertible terms would have to be provided. 
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A Inference Rnles of ECCE 



[] is well formed (ECCEcxto) 

rP A: Type, x ^ FV{r) 

r,x : Ai is well formed (ECCEcxti) 

X G r r is well formed 

rPx:A (ECCEvar) 

r is well formed 

rC Prop :Typeo (ECCEp^op) 

r is well formed 

r h Typa : Typa+i (ECCEuniv) 

r is well formed 

r h unit : Prop (ECCEpnit) 



P is well formed 
P \- {) : unit 

P ,x : A\- P ■. Prop 
P h IIx : A.P : Prop 

P \- A : Typci P,x : A \- B : Typci 
P h IIx : A.B : Typa 

P,x : A\- M B 
Ph Xx: A.M : Hx : A.B 

PP M : nx: A.B P P N : A 
r\- M N ■. B[x ^ N] 



(ECCEo) 



(ECCEprodo) 



(ECCEprodl) 



(ECCEpam) 



(ECCEapp) 
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r \- A ■. Typci r ,x A\- B ■. Typei 



r h Ex : A.B : Type 
T'r M ■. A TN ■. B[x ^ M\ T, 


i 

X : A\- B : Typei 


(ECCEsig) 


Th (M,N)s,,a.b ■■ Ex: 
T'r M : Ex: A.B 


A.B 


(ECCEp3i,) 


r h (pii M) : A 
T'r M : Ex: A.B 




(ECCEprojo) 


r h (pi2 M) : B 
T'r M : A T 'r A' : Type^ 


A- A' 


(ECCEp,oji) 


Th M : A' 

T'r M : A T 'r A' : Type^ 


A-<.A' 


(ECCEconv) 


Th M : A' 




(ECCEc,,,) 


Axioms and Inference Rules of 





\ Xx : B .X ) 



Ex : unit. A = A[x tt] , 

/ Ac : (Sx : unit . A) . (7T2 \ ^ 

\ Aa ; A\x ■<— a) ) 



( Ac : (Sx : unit.A).{-. _ 
Aa ; A[x ■<— a) 



ECCEn 
'iUL ) 



Ex : A.B = Ex : B.A 

f Ac : (^Ex : A. B) . {-K 2 c, n 
^Ac : (^Ex : B.A).(7T2 c,7T2^ c) J 



iix^FV{A,B) (Thgg,"^) 



Ex : unit. A = A[x tt] 

( Ac : (Ex : unit .A) .( 7^2 c) \ 

Aa ; A[x ■<— tt].(tt, a) ) 



(Th 



ECCEx 
SUE ) 



Ex : (Ey : A.B).C = Ex : A.Ey : B[y ^ x\.C[x ^ (x,y)] . ECCE^ 

/ Xz : (Ex : (Ey : A. B) .C) .(t7 (ttj^ 2 ), (7T2 (ttj^ 2 ), 7T2 2 )) \ V £'AsS / 

\A 2 : (Ex : A.Ey : B[y x].C[x ■<- (a;,y)]).((7ri 2,7 ti (7T2 z)), 7^2 (-^2 ^)) ) 



Bx : A.unit = unit . ^qq^. 

/ Xf : (Hx : A.unit).tt\ \ /7UR / 

^ Xu ; unit.Xx : A.tt j 



Bx : (Ey : A.B).C = Bx : A. By : B[y ^ x\.C[x ^ (x,y)\ . ECCE^ 

/ Xf : (Hx : (Ey : A.B).C).Xx : A. Ay : B[y •«- x].f (x,y) \ V * ^IJCur/ 

Xf (nx : A. By : B[y ^ x].C[x f- (x, y)]}.Bx : (Ey : A.B).f (tti x) ( 7^2 x) ) 
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Ux : unit. A = A[x ^ tt\ 

/ \f I (iTx ; unit. A). f tt \ 

^ \a : A[x •«— tt].Xx : unit. a j 



Ux : A.Sy : B.C = Sy : {Ux : A.B).IIx : A.C[y ^ {y x)] . ECCE^ 

/ A/ ; (nx i A.Sy ; B.C).(nx i A.(ni (/ x)), iTx ; A.(x 2 (/ x))) \ I ' ) 

y Ac : (X'y : {Tlx : A.B) .(IJ x : A.C[y ■<— (y 3i)]).Aa: : A.((7T]^ c) x, (7T2 c) x) J 



/T-i ECCEi 

(ThtjuL ) 



A = A 



(Th 



ECCEi 
Ref J 



( 



) 



A = A' 





Ux : A.B = Ux : A' ,B[x f— (r x)] 

/ Xf : {nx : A.B). Ax : A' .f (t x) \ 

\ Xf : {nx : A^.B[x *— {t x)]).Ax : A.f {a x) ) 



(Th 



ECCEi 
77L ) 



A = B 



A = A' 



(0 

B = A 




(0 



W i-ri ECCE', 

Ux : A.B = Sx : A' .B[x f— (r x)] 

/ Ac : {Sx : A.B).(cr (ttj^ c), 7T2 c) \ 

\ Ac : (Sx : A^.B[x *— (t x)]).(x (ttj^ c), 7T2 c) / 



A=B B=C 



A = A' 



(;) CO 

A = C 



(Th 



ECCEi 
Trs ) 



(:) 

Ux : B.A = Ux : B.A' 



C~rL, ECCE 

(Tn^jp 



) 







/ Xf : (i7x : B.A). Ax : B.<r (f x) \ 
V Xf : (nx ■. B.A').Xx : B .t (f x) ) 


II 




II 


(^) 


(Thib's"") 


(:) 


II 


Ex : B.A = Ex : B.A' 


(Tx) 




/ Ac : (Bx : B.A).(7T]^ c, ct (7T2 c)) \ 
\ Ac : (Bx : B.A^).{tv^ c, t {tv^ c)) / 






) 
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C Rules of 



A 

Bii A - 






Bx : A.unit 
^ (^^ur) 



■RCoq 



■j^Coq -j^Coq 

Bx : (By : A.B).C — > Bx : unit. A — > 

Bx : A.By : B[y ^ x].C[x ^ {x, y)] (T^^aD ^ (^2ul) 



-j^Coq -jpCoq 

Bx : {By : A.B).C — > Ux : A.unit — > 

Bx : A.By : B[y ^ x\.C[x ^ {x, y)] (7^^cur) (^Sur) 



■T^Coq -T^Coq 

Bx : A.By : B. — > C Bx : unit. A — > 

By : {Bx : A.B).{Bx : A.C[y ^ {y x)] {TZ^nZ) ^ «] (^Sul) 



A^^ A' 
pA pA' 



7^: 



Coq 

Sbs 



A 



n'- 



A' 



■TZ 



Coq 



-ipCoq ' '^/7R 

Bx : B.A ^ Bx : B.A' 



A^^ A' 



■TZ 



Coq 



q^Coq 

Bx : B.A Bx : B.A' 



A 



n 



Coq 



A' 



■TZ 



Coq 



-jpCoq ' /577L 

Bx : A.B Bx : A'.B 



A 



n 



Coq 



A' 



-TZ 



Coq 



-jp Coq ' ^ ^U\- 

Bx : A.B B^ Bx : A'.B 
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Abstract. We present an abstract model of computer memory, in the 
form of directed, labeled graphs with simple transitions corresponding 
to valid memory operations. We also introduce a refinement of this basic 
model of memory that incorporates features of memory management. 
After giving some examples of how this refined model captures various 
incremental tracing algorithms, we investigate properties of the two re- 
presentations and show that they are behaviorally equivalent. The proofs 
have been formally verified in the proof assistant Coq. 



1 Introduction 

1.1 Overview 

Memory management is for several reasons an essential component of construc- 
ting modern large applications. First, space can be at a premium in large applica- 
tions, and some mechanism is needed for returning unused space to the program 
efficiently. Secondly, memory management takes a significant portion of total 
program execution time, and naive implementations can lead to extremely inef- 
ficient programs. Finally, memory errors, such as accessing freed memory cells, 
in programs are notoriously difficult to find. Although sophisticated tools exist 
for uncovering various kinds of memory faults, it is safer to build more reliable 
memory management into the design. For these reasons, large programs need 
schemes to manage allocating and freeing of memory efficiently. 

The view that a more disciplined approach to memory management is an 
important aspect of program development is filtering its way from the func- 
tional programming community into the broader programming community and 
more traditional state-based languages. For example, web programming langua- 
ges such as Java and Python include garbage collection as part of the language, 
and there are various packages for performing memory management in C and 
C-b- b. With this increased importance, we believe that a formal understanding 
of memory management also becomes more important. 

* Most of this author’s work was carried out at the LFCS, The King’s Buildings, 
University of Edinburgh, EH9 3JZ, UK. 

* This author was at Harlequin Ltd. at the time of the collaboration. 
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There are many schemes for memory management, ranging from explicit allo- 
cation and de-allocation of memory to sophisticated generational and replication 
garbage collectors. We include references [6,9] to several excellent introductions 
to the field of memory management. 

1.2 Incremental Tracing 

In this paper we concentrate on understanding a particularly error-prone area 
of garbage collection, incremental tracing. Tracing is the first of two phases in 
garbage collection, and consists of a systematic search through memory distin- 
guishing those memory cells that are in use by the program from those that are 
not. The algorithms we are interested in are incremental because the program 
can be using memory as the memory management system is searching for the 
unused cells or de-allocating those that have been found. 

The tracing phase is excellent for formalization because there is a widely un- 
derstood informal model for it, involving coloring the nodes of the graph black, 
grey or white. This informal understanding is remarkably general and can mo- 
del the great majority of incremental (and non-incremental) tracing algorithms. 
Furthermore, verifying incremental tracing algorithms by hand is notoriously 
difficult, as demonstrated by errors in early papers such as that by Ben-Ari [1]. 

The second phase of garbage collection, the collection phase, consists of de- 
allocating those cells that are not in use by the program. We do not concentrate 
on the collection phase in this paper because, unlike the tracing phase, there is no 
unified understanding of this phase. We leave a general treatment of collection, 
under development now, to a further paper. 

1.3 A General Theory of Memory Management 

As far as we are aware there is no general theory of incremental tracing, let alone 
memory management, in the literature. There have been some formal treatments 
of garbage collection [4, 5, 7, 8], but these do not offer a general framework for 
understanding the problem. We see our paper primarily as a move toward an 
abstract understanding of memory management. 

The main contribution of this paper is the presentation of abstract formu- 
lations of computer memory and incremental tracing over computer memory, 
and a proof of their behavioral equivalence. This model is sufficiently abstract 
that it is easy to formalize. It also has a clear correspondence with incremental 
tracing algorithms, and so can be used as a vehicle for communication between 
academic and industrial collaborators. 

All definitions and proofs discussed in this paper have been carried out in 
the proof assistant Coq [3], a type-theory based system developed at Inria. In 
this paper we have deliberately avoided any discussion of issues involving the 
underlying logic of the proof assistant, preferring to present the results in a 
naive set-theoretic style, because we believe that the abstractions are the most 
important contribution of this work. However, the proofs are available on the 
Coq web site, http://pauillac.inria.fr/coq/contribs-eng.html. 
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2 A Model of Memory 

A naive model of memory on a computer might include a CPU with registers, 
and various external forms of memory such as random-access memory, disks, and 
tapes. The CPU accesses memory other than its registers by using particular 
instructions with offsets. 

Starting from this simple view of memory, we abstract to a model of memory 
as a directed, labeled graph with roots, with certain simple restrictions. The roots 
correspond to registers, and the labels correspond to offsets to access external 
memory. 



2.1 Pre-graphs and Graphs 

We begin by introducing the notion of pre-graph, which simply characterizes the 
raw data of a graph, without guaranteeing its well-formedness or consistency. 
Intuitively the pre-graph represents the memory cells as they exist physically 
on the computer, without reflecting the structure built up when a program is 
running. 

We parameterize our definitions by a set N of pre-nodes and a set L of 
labels. The pre-nodes represent memory cells, and the labels represent pointers 
or offsets to memory cells. 

Definition 1 (Directed Labeled Pre-Graph with Roots). A directed la- 
beled pre-graph with roots has two subsets Node and Root of N and a subset 
Edge ofNxLxN. 

We shall simply write pre-graph in place of directed labeled pre-graph with 
roots. 

We also introduce a predicate GraphP characterizing those pre-graphs that 
are actually graphs. This predicate says that a well-behaved graph G must satisfy 
the following axioms: 

— Every root is a node. 

— The endpoints of every edge are nodes. 

— If there are two edges from a by label I, with endpoints b and c, then b = c. 

— Any graph G always has an infinite number of pre-nodes that are not nodes 
in G. 

We say that G is a graph if GraphP(G). 

We use a simple graphical notation for our pre-graphs, which are easily trans- 
lated into statements about the formal objects. 

2.2 Memory Actions on Graphs 

We can consider basic operations over this simple model of memory. All of these 
operations start from the roots, or the CPU, and affect the external memory in 
some way. 
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Alloc(yl,i) 




(No edge labeled I from node A, 
and B is not a node) 



Here, all actions require that A be a root. We write G — >■“ H if one of the above 
actions on the graph G produces the graph H. 

The model we have introduced is a purely local presentation of memory. 
We do not require any global properties about the accessibility of nodes in the 
graph, nor do we require operations on the graph more than two indirections 
away from the root. Complex operations can be implemented as sequences of 
the basic operations we have introduced. 

The operations introduced correspond closely to the usual memory opera- 
tions available in a computer. For example, the Load operation corresponds to 
bringing a pointer stored in external memory into the registers on the CPU. The 
Store operation corresponds to placing a pointer stored in the CPU into external 
memory. The Drop and Splat operations model clearing pointers, either in the 
CPU or in external memory. The Alloc action creates a new node in the graph 
and links it by the label I to root A. 

There are many possible restrictions of our formulation that would remain 
interesting. For example, in LISP we only have two possible labels for edges, 
car and cdr. We have not investigated such restrictions in our work so far. 
Memory management for Java is more complex, but we believe it is still within 
our framework. 

The following proposition is proved by induction on possible actions: 
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Proposition 1. If G — H and GraphP(G) then GraphP(iJ). 

2.3 Accessibility 

We have two notions of accessibility of nodes in a memory graph. First, those 
nodes in the transitive closure of the edge relation from a root are accessible. 
Secondly, nodes that can be brought next to the root by a sequence of me- 
mory actions are accessible. We show that these two notions of accessibility are 
equivalent. 

We begin by defining inductively these notions of when a node is accessible. 
Definition 2 (Graph Accessible). 

— A root a in a graph G is graph accessible in G. 

— If a is graph accessible in G and there is an edge I from a to b in G then b 
is graph accessible in G. 

Definition 3 (Action Accessible). 

— A root a in a graph G is action accessible in G. 

— If a is a root in a graph G and there is an edge from a to b then b is action 
accessible in G. 

— If a is a node in the graph G and is action accessible in H , and G — >■“ H, 
then a is action accessible in G . 

We now show that action accessibility implies graph accessibility. We begin 
by showing that memory actions do not extend the graph accessibility relation. 
Glearly, this will not apply to newly allocated nodes, so we restrict to those 
nodes that are in the original graph. 

Lemma 1. If G is a graph, d is a node in G, d is graph accessible in H and 
G — >■“ H then d is graph accessible in G. 

Proof. By induction on possible actions G — >■“ H. In each case, we then apply 
induction on the proof that a is graph accessible in H . 

We consider the case Load(A, /, m, n). Suppose we have added an edge n from 
d to c. Then if a proof of accessibility uses n then we instead use edges I and m, 
and otherwise if we use an edge p that is not n then p is also in G. 

Proposition 2. If a is action accessible in G then it is graph accessible in G. 

Proof. By induction on a being action accessible in G. The cases of a being a 
root or one edge away from the root are trivial, and the inductive case follows 
by Lemma 1. 

We now show that all accessible nodes in the memory graph can be reached 
by a sequence of memory actions. The proof relies on there being two labels, I 
and m, that are not used out of the root r from which a is accessible. 
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Proposition 3. If a is graph accessible in G then it is action accessible in G. 

Proof. The proof proceeds by induction on a being graph accessible in G. If a is a 
root or if there is a root r and an edge n from r to a then a is immediately action 
accessible in G. Otherwise, we are in the case that there is a node b accessible 
from the root r and an edge n from b to a. For a path of length 2 from the 
root r to a we add an edge I from r to a using a Load action, and from then on 
we alternate pairs of actions Load(r, I, n, m) and Drop(r, 1) with pairs of actions 
Load(r, m, n, and Drop(r, m). This yields a sequence of actions that finishes 
with a graph with the edge I or m linking r to a. 

From now on, we shall simply say accessibility for graph accessibility, since 
the two definitions are equivalent and graph accessibility is the more direct 
notion. 



3 Garbage Collection by Incremental Tracing 

The model of memory introduced in the previous section does not take account 
of the bookkeeping underlying a program’s use of memory. Normally, a program 
will allocate new blocks of memory, use them for some amount of time, and then 
free the memory, either explicitly by telling a memory management system or 
implicitly by having removed all pointers to the memory. 

In interactive applications the user should not be able to notice interventions 
by the memory management system. Hence, the program and the memory ma- 
nagement system should be interleaved, with the memory management system 
able to do work at any point while the program is running. Because the program 
is active changing the memory while the memory management system is trying 
to determine inaccessible pointers, the program is commonly called the mutator. 

One common technique to allow this is incremental tracing. Abstractly, the 
memory management system traverses the graph from the registers, marking 
memory cells as it passes through them, and keeping enough information that 
changes in the graph by the program do not confuse it. Once there are no more 
nodes to traverse in the graph of active memory, the rest of memory is returned 
to the program. 

We formalize this notion of incremental tracing using a definition of colored 
graphs over the colors White, Grey and Black. Intuitively, nodes are white if 
they have not been considered, marking a node grey means that it has been 
considered but its children have not, and marking a node black means that the 
node has been completely traversed by the tracing algorithm. 

This approach of considering that the tracing algorithm assigns colors to the 
objects in the graph in its traversal is well-established in the memory manage- 
ment community, and has existed at least since the seminal paper by Dijkstra 
et al. [2]. 
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3.1 Colored Graphs 

We now introduce the definitions for colored graphs. This is the formal coun- 
terpart of graphs for the development of memory management systems with 
incremental tracing. 

Definition 4 (Colored Pre-Graph). A colored pre-graph is a pre-graph with 
the further set Color C TV x {White, Grey, Black}. 

The set Color in colored pre-graphs captures the possibility that the data 
structure representing colored pre-graphs may allow a node to have several colors 
if the internal representation is inconsistent and does not represent a colored 
graph. 

A colored pre-graph satisfies the predicate ColorP if it satisfies the following 
conditions: 

— It satisfies the predicate CraphP. 

— The set Color is functional, that is for all a € there is a unique c in 
(White, Grey, Black} such that (a, c) € Color. 

— There is a finite number of nodes that are white or grey. 

Similar to pre-graphs, we say that C is a colored graph if it satisfies the predicate 
ColorP. 

We write \C\ for the underlying pre-graph associated with C. Notice that if 
G is a colored graph then \C\ is a graph. 

We do not require colored graphs to have a finite number of nodes in order to 
be able to do tracing on it. We only require that the number of white and grey 
nodes be finite, since this represents the portion of the graph that is actually 
being traversed. This allows us to consider infinite graphs, or effectively infinite 
graphs where we do not have control over the entire graph, like the Internet. 

3.2 Memory Actions over Golored Graphs 

We can now formulate the actions of the mutator in the setting of colored pre- 
graphs. We must maintain the invariant that there are no links from a black 
node to a white one, which informally models our intuition that the grey fringe 
represents the nodes that are in the process of being considered. To preserve 
the invariant, there are restrictions on the operations for loading and storing 
memory addresses. 
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(No edge labeled n from node A, 
and A not black or C not white) 



(No edge labeled n from node B, 
and B not black or C not white) 





(No edge labeled I from node A, 
and B allocated black^) 



Again, similar to graph actions, A must be a root. 

We also have actions representing the possible work the tracer can do. 



O (g) 
( 2 ) ( 2 ) 



I 



O 



^Child 



I 

Y 



( 2 ) 




In the rule Root, the node must be a root. 

^ This rule could be generalized so that if A is not white then B can be allocated grey 
or white, but we have not proved anything about such a rule. 
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The mutator actions over colored graphs are carefully formulated so as not to 
change colors of objects themselves. We consider that the tracer is solely respon- 
sible for changing colors in the graph, which may correspond to copying objects 
and updating pointers, or updating data kept in an internal representation of the 
tracer. Conversely, the tracer has no influence over the structure of the graph: 
only the mutator can change graph connectivity. 

The approach of separating tracer actions from memory actions, and restric- 
ting memory actions so that they can only occur when the resulting graph will 
not violate the invariant, is very general. However, there is one situation that 
is not captured by this abstraction. If we are storing a pointer to an object in 
a black node then for efficiency reasons it is often desirable in practice to turn 
the black node grey directly. However, for the tracer this represents a loss of 
progress. We therefore include this as a single mutator action, StoreBlackGrey, 
which when storing into a black object with a grey root will mark the black 
object grey and do the store: 





(No edge labeled n 
from node B, and A) 
grey 



where the black node is node B and the rule is subject to A being a root. This 
allows the unobservable tracer actions to be terminating at any point, even if 
the mutator can create more work for the tracer through an observable action. 

We now discuss how two common incremental tracing algorithms fit the 
abstraction of actions over colored graphs. 



3.3 Mark Sweep Collectors 

Mark-sweep collectors traverse the graph structure as the mutator sees it, fin- 
ding the transitive closure of the graph and marking each object that is in the 
graph in some way to record that the object was reached. The objects that are 
currently being considered are stored in a stack or a queue. The algorithm adds 
the unmarked children of the object at the head of the queue, and then removes 
the head from the queue and marks it. Once the queue is empty, and therefore 
the connected objects have been determined, the collector examines memory 
to find those objects that have not been marked and reclaims the space they 
occupy. 

The color abstraction captures this algorithm naturally. Objects that have 
not been marked are white. Objects that are in the queue of objects still being 
considered are grey. Objects that have been marked are black. 

In this framework, the roots are considered grey throughout tracing, only 
being changed to black when the graph has been fully traversed. This means we 
only need to prevent pointers to white objects being written into black objects, 
which is called a write barrier. 
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3.4 Copy Collectors 

A copy collector is implemented by using two equal sized pools of memory, the 
to-space and the from-space. A pointer in to-space indicates where to allocate 
new objects, and is incremented with each allocation. When this pointer reaches 
the end of to-space, indicating that there is no further memory, the to- and 
from-spaces are reversed or flipped, and objects in the new from-space that are 
accessible from the root are copied to the new to-space. Objects copied from 
from-space to to-space are scanned to find pointers to other objects in from- 
space, and those objects are also copied to to-space: a pointer in from-space 
indicates the last object whose children have been considered. 

Conceptually, the black objects are those that have been copied from from- 
space to to-space above the pointer, whose children have also all been considered. 
The grey objects are those copied and below the pointer in from-space, whose 
children have still not been considered. The white objects are those that have 
not been copied from from-space to to-space. 

Attempts to access an object in from-space must be trapped and the object 
copied to to-space, because it is accessible. This is called a read barrier. 



3.5 Condemned Zones 

A common technique in memory management systems is to select a particular 
area of memory for garbage collection, sometimes referred to as the condemned 
zone. In this setting all objects outside of the condemned zone are considered 
black, and those objects within the condemned zone that have pointers to them 
from outside are considered to be the roots, and hence grey. This gives us a 
technique for garbage collecting a finite subgraph of infinite or effectively infi- 
nite graphs, such as the Internet, because only finitely many nodes need to be 
traversed by the algorithm. 

3.6 Formal Properties 

The tracer actions are non-deterministic. A graph may have several possible 
actions that the tracer can reasonably perform to make progress towards deter- 
mining the transitive closure of accessibility in the graph. This non-determinism 
is intended to represent choice of implementation, rather than choice of action 
for a particular tracer. However, we can show that this non-determinism of the 
tracer always gives the same results, so choice of implementation does not affect 
behavior. 

Lemma 2. If C — >■“ D and C D' then there is an E such that D —>■'>' E 
and D' E. 



Proof. By a double induction on actions C — >■“ D and C — D' . There are two 
critical pairs, between Root and Child, and Black and Child, and both are easy. 
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Lemma 3. If C — >■“ D and C satisfies ColorP then D satisfies ColorP. 

Proof. By induction on actions C — >■“ D. 

We also have the following important property, that tracer actions preserve 
the invariant. 

Lemma 4 (Preservation of Invariant). If the colored graph C satisfies the 
invariant and C — >■“ D then D satisfies the invariant. 

Proof. By induction on actions C — >■“ D. 

From now on we implicitly assume that all colored graphs satisfy the invari- 
ant. 



4 Correctness of Incremental Tracing 

4.1 Behavioral Equivalence 

Now that we have defined both a model of ideal memory and a model of incre- 
mentally traced memory, we wish to show that the two have the same behavior 
with respect to program operations on memory. We do this using the notion of 
bisimilarity from concurrency to model behavioral equivalence, where we con- 
sider tracer actions in the memory management model to be unobservable. In 
concurrency theory unobservable actions are denoted by writing them t. We 
write a only for observable actions. 

The behavioral equivalence with respect to program operations is the central 
result of this paper. It is a formal result that captures various of our intuiti- 
ons about incremental tracing. We know that although tracing may postpone 
mutator actions, in order to avoid creating a pointer from a black object to a 
white one, it will never prevent mutator actions indefinitely. We also know that 
memory management does not change an observer’s view of how memory works. 

We write G i? if G G' H. 

Definition 5 (Bisimulation). Given two relations R and S on graphs, a re- 
lation T between two graphs G and H is a bisimulation if: 

— If G — G' then there is an H' such that H H' and G'TH' . 

— If H H' then there is a G' such that G G' and G'TH' . 

Bisimulation, G H , is the greatest relation that is a bisimulation. 

Notice the parameterization of bisimilarity by relations on graphs. This is 
necessary to allow us to talk about bisimilarity between a graph and a colored 
graph. In this case, we take R to be the memory actions on graphs, and S to 
be the memory actions on colored graphs, with no r-actions for graphs on the 
left-hand side, and r-actions on the right-hand side being the tracer actions. We 
omit the subscripts R and S when they are clear from the context. 
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We begin by demonstrating that colored graphs with the tracer and mutator 
actions are behaviorally equivalent to their underlying graph with the simple 
memory actions. The actual proof is not complicated given the results we have 
already established. 

Lemma 5. If T is a bisimulation and CTG then C ^ G. 

Proof. By a simple coinduction. 

We now show that the relation \G\ = G is a bisimulation for -^c Etnd — 
and so G \G\. 

Lemma 6. If \G\ = G and G — >■“ D then there is an H such that G — >■“ H and 
\D\ = H. 

Proof. By a simple induction on actions G — >■“ D we can show that \G\ — >■“ \D\, 
so we take H to be \D\. 

Lemma 7. If \G\ = G and G — >■“ H then there is a D such that G — >■“ D and 
\D\ = H. 

Proof. By induction on actions G — >■“ H. The difficult cases are Load, Store and 
Alloc. We consider Load. 

We know that a is a root, that there is an edge I from a to b and an edge m 
from b to c, and that there is no node d such that there is an edge n from a to 

d. 

We consider the possible colors of a. If it is white or grey then we can simply 
perform a Load, because the side-condition is satisfied. If a is black then we 
need to consider the possible colors of c, where if c is black or grey then we can 
perform a Load. Finally, if c is white we need to consider the colors of b. b cannot 
be white or black because this contradicts the invariant. Hence b is grey, and we 
can perform a Load. 

Lemma 8. G |G| for all colored graphs G. 

Proof. |G| = G is a bisimulation by Lemmas 6 and 7, and so G |G| by 

Lemma 5. 



4.2 Termination 

We now show that tracer actions terminate, which guarantees that there cannot 
be an infinite sequence of r-actions preventing an observable action. 

Lemma 9. For all color graphs G, the r-actions starting from G terminate. 

Proof. By double induction on the number of white and grey nodes in G. 

Suppose G G' . By case analysis on this we show that G' is terminating, 
and so by definition of termination G is terminating. 
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— Root. Then the number of white nodes in C is less than those in C, so by 
the induction hypothesis C is terminating. 

— Child. Again the number of white nodes in C is less than that in C. 

— Black. Then the number of grey nodes in C is less than those in C, and the 
number of white nodes stays constant, so by the induction hypothesis C is 
terminating. 



5 Conclusions and Further Work 

We have introduced a new formal model of memory that captures the basic ope- 
rations simply and cleanly. We have extended this model to incremental tracing 
using the common intuition of colors from the memory management community, 
and showed that the two models of memory are behaviorally equivalent. Further- 
more, we have established that bisimilarity is an equivalence and a congruence 
for the natural operations on graphs. This work lays the foundation for further 
research into verifying implemented algorithms for incremental tracing. 

There are many areas for further work. The most important is the study of 
incremental collection in addition to incremental tracing. There is an intuitive 
action for collecting that is simple to formalize. In the ideal representation of 
memory, if a graph G has an inaccessible node a then G should be able to 
transition unobservably to the graph G where the node a is removed. In the 
colored graph representation, if all of the roots in a colored graph G are black, 
there are no grey nodes in G and there is a white object a then G should be able 
to transition unobservably to the graph C where the node a has been removed. 

However, the more complex notion to capture in this framework is the reset- 
ting of the collector. Different implementations will lead to dramatically different 
ways of coloring the graph on reset. For example, if the whole of memory is being 
collected by a copy collector then all nodes can be colored white on reset, but 
if we use condemned zones then only a restricted subset of the nodes will be 
colored white, with the majority remaining black and a few being colored grey. 
It is because of this wide variation of possible resetting behaviors that we have 
not yet formalized the collection phase. 

An anonymous referee suggested that the operations may also capture con- 
current tracing. We have not investigated whether the operations are sound for 
existing concurrent tracing algorithms, but this is an interesting area for future 
research. 

Another important area that we have left unexplored is the actual verification 
that a particular implementation of memory and memory management satisfy 
the axioms we have set out. This seems to be an interesting project that could 
be proposed as a Master’s thesis. 

A direction for further work is to investigate similarity for the tracer actions, 
which says that a collection of actions over the colored graphs is a restriction of 
the tracer actions. This notion can capture refinement or implementation of the 
full class of possible tracer actions by a more particular algorithm. 
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Abstract. We deal with the distribution of N points placed consecu- 
tively around the circle by a fixed angle of a. From the proof of Tony 
van Ravenstein [RAV88], we propose a detailed proof of the Steinhaus 
conjecture whose result is the following: the N points partition the circle 
into gaps of at most three different lengths. 

We study the mathematical notions required for the proof of this theorem 
revealed during a formal proof carried out in Coq. 



Introduction 

Originally, the three gap theorem was the conjecture of H. Steinhaus. Sub- 
sequently, several proofs were proposed by [SOS57] [SOS58] [SWI58] [SUR58] 
[HAL65] [SLA67] [RAV88]. The proof proposed in this paper is a presentation 
of the proof completely fomalized in the Coq proof asssistance system [MAY99]. 
This formal proof is based on Tony van Ravenstein’s [RAV88]. 

This kind of demostration, which involves geometrical intuition, is a real chal- 
lenge for proof assistance systems. That is what motivated our work. Therefore, 
the interest of such an approach is to understand, by means of an example, if 
the Coq system allows us to prove a theorem coming from pure mathematics. 

In addition, this development allowed us to clarify some points of the proof and 
has led to a more detailed proof. 

First, we will define the notations and definitions used for stating and proving 
this theorem. The second part deals with different states of the theorem and 
with the proof itself. Finally, the last part presents advantages of the formal 
proof stating the main differences between our proof and Tony van Ravenstein’s 
proof. 



1 Notations and Definitions 

1.1 Notations 

We can refer to figure 1. 

— IN is the natural numbers set. 

T. Coquand et al. (Eds.): TYPES’99, LNCS 1956, pp. 162-173, 2000. 
© Springer- Verlag Berlin Heidelberg 2000 
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Fig. 1. The three gap theorem 



— ]R is the real numbers set. 

— The integer part of a real number r is noted E(r). 

— The fractional part of a real number r, ie r — E(r), is written {r}. 

— The first point on the circle is the point 0. 

— Unless explicitly mentioned, we consider N points distributed around the 
circle. These are numbered from 0 to iV — 1. 

— We consider the circle of unit circumference and with a clockwise orien- 
tation. 

— a is counted in turns of the circle (and not in radian); then 0 < a < 1. 

— The first point (yf 0 if >1) on the right of 0 is written first{N). first{N) 
is a function from the natural numbers to the natural numbers. 

— The last point (yf 0 if iV >1) before 0 is written last{N). last{N) is a function 
from the natural numbers to the natural numbers. 

— n G Circle is equivalent to 0 < n < 
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Remark 1. The distance from point 0 to point n is {n.a}. 

1.2 Definitions 

The following definitions are valid for all a, rational or irrational. 

Lemma 1 (Existence of first). If N > 2 then there exists an integer 
first{N) G IN s.t. 0 < first{N) < N and Vm GlNz/0<m<fV then 
{first{N).a\ < {m.a} 

Proof. 

By induction on N. 

- N = 2: in this case first{N) = 1. 

- Suppose the lemma to be holds for N: then there exists first{N) G IN s.t. 
0 < first{N) < N and Vm GlNifO<m<A^ then {first{N).a} < {m.a}; 

let us show that there exists first{N + 1) G IN s.t. 0 < first{N + 1) < N+ 1 and 
Vm GlNifO<m<fV+l then [first{N + l).a} < {m.a}. 

By cases: 

- if {first{N).a} < {iV.a} then fir.st{N + 1) = first(N). 

- if {firstlN).a} > {iV.a} then fir.st{N) = N. 

□ 



Lemma 2 (Existence of last). If N > 2 then there exists an integer 
last{N) G IN s.t. 0 < last{N) < N and Vm GlNz/0<m<fV then 
{m.a} < {last{N).a} 

Proof. 

Symmetrical proof with respect to first. 

□ 



The successor of a point on the circle (after) verifies the following property: 

Lemma 3 (Property of points for after). VM gIRz/0<M<1 then we 
have: 

either 

1. there exists an integer / G IN s.t. 0 < I < N and M < {I.a} and Vm G IN 
if 0 < m < N and if {m.a} > M then {m.o;} > {I.a} 

or 

2. Vm gIN ifO<m<N then 0 < {m.a} < M 
Proof. 

By induction on N. 

- N = 1: 0 verifies the property. 

- Suppose lemma to holds for N and prove it for A^+ 1: the induction hypothesis 
is the following: 

either 
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1. there exists an integer I{N) G IN s.t. 0 < I(JV) < N and M < {I{N).a} and 
Vm GlNifO<m<-/V and if {m.a} > M then {m.a} > {I{N).a} 

or 

2. Vm GlNifO<m<-/V then 0 < {m.a} < M 
We prove that : 

either 

1. there exists an integer I{N + 1) G IN s.t. 0 < I{N + 1) < + 1 and 

M < [I{N + l).a} and Vm GlNifO<m<7V+l and if {m.a} > M then 
{m.a} > {I{N + 1).Q!} 

or 

2. Vm GlNifO<m<fV+l then 0 < {m.a} < M 
By cases: 

- if 0 < M < {A^.a} we are in case 1 and we continue by cases: 

- if {A^.a} < {/(A^).a} then I{N + 1) = N. 

- if {I(N).a} < {N.a} then I{N + 1) = I{N). 

- if {A^.a} < M < 1 we are in case 2 and the proof is immediate by induction 
hypothesis. 

□ 



Definition 1 (after). For all points n on the circle, the point after{N,n) ve- 
rifies the property of points (lemma 3) for M = {n.a} and is defined such that: 
if we are in case 1. then after{N ,n) = I 
if we are in case 2. then after{N,n) = 0. 

2 Statement and Proof of the Theorem 

2.1 Statement 

Statement in natural language: 

Theorem 1 (Intuitive statement). Let N points be placed consecutively 
around the circle by an angle of a. Then for all irrational a and natural N, 
the points partition the circle into gaps of at most three different lengths. 

As shown by theorem 1 the points are numbered in order of apparition; now, 
if we do more than one revolution around the circle, new points appear between 
the former points. Then, when the last point {N — 1) is placed, it is possible to 
number them again consecutively and clockwise. In this new numeration, we use 
only the definitions of first, last and after, from lemmas 1 and 2, and of the 
definition 1. 

If we set \\x\\=min{{x}, 1— {a;}), then the distance of a point n from its succes- 
sor after{N, n) is given by ||a/ter(A^, n) — n|| . In order to show that this function 
can have at most three values, we show that the function (after{N,n) — n) can 
itself have at most three values. 

So, proving theorem 1 comes to the same thing as showing the following 
mathematical formulation, which we will prove in the next paragraph. 
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Theorem 2 (The three gap theorem). 



after{N, m) — m = 



first{N) 

first{N) — last{N) 
—last{N) 



ifO<m<N — first{N) 
if N — first(N) <m< last{N) 
iflast{N) <m<N 



Remark 2. 



1. This transcription means that the circle of N points is divided into 
N — first gaps of length \\first.a ||, 

N — last gaps of length \\last.a || and 

first + last — N gaps of length \\first.a || + ||/ast.a ||. 

2. Theorem 2 is true for a rational and irrational. Here, however, we present 
only the proof for a irrational. Indeed, most of the intermediate results are 
false for a rational (among other reasons because first, last and after are 
no longer functions). Moreover, the theorem is trivially true for a rational: 
if a = p/g then the circle may include one or two lengths of gap - depending 
on whether N < q or N = q. 



2.2 Proof 

We recall that the proof is detailed for a irrational and N > 2. 



Lemma 4 (particular case). If N = first{N) + last{N) 



after{N, m) — m = 



first{N) if 0 < m < last{N) 
—last{N) if last{N) <m<N 



Proof. 



1. Case 0 < TO < last{N): 

For TO = 0, by definition of first we have after{N, 0) = first(N). 

We want to prove that to + first{N) is the successor of to. 

Let us first show that to + first{N) belongs to the circle of N points: 
if 0 < TO < last{N) then 

0 < 0 + first{N) < TO + first{N) < last{N) + first{N) = N. 

Now, let us show that: if i is any point of the circle (0 < t < N) then 
we have either {i.a} < {to. a} or {i.a} > {(to + first{N)).a}. 

By reductio ad absurdum and by cases: 

let us suppose that {to. a} < {i.a} < {(to + first{N)).a} 
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— if z > m then 0 < {i.a} — {m.a} < {{m+first{N)).a} — {m.a} therefore 
0 < {(z — to).q;} < {first{N).a} which contradicts the definition of first, 
since {i — m) G Circle because 0 < i — m < N. 

— if z < TO then {{m+ first{N)).a} — {i.a} < {{m+ first{N)).a} — {to. a} 
therefore {(to + first{N) — i).a} < {first{N).a} which contradicts 
the definition of first(N), since (to + first{N) — i) G Circle because 
0 < TO + first{N) — i < N. 

In these two former cases {(to + first{N)).a} — {to. a} = {first{N).a} if 
{to. a} < {{m + first{N)).a}. 

Let us show this by reductio ad absurdum: 
if {(to + first{N)).a} < {to. a} then 

{(to + first{N)).a} — {first{N).a} < {to. a} — {first{N).a} 

therefore by definition of first {to. a} < {to. a} — {first{N).a} which is 

absurd because {first{N).a} > 0 for TV > 2. 

2. Case last{N) < m < N: 

For TO = last{N), by definition of last we have after(N, last{N)) = 0. 

We want to prove that to — last{N) is the successor of to. 

Let us first show that to — last{N) belongs to the circle of TV points: 
if last{N) <m < N then 

0 < last{N) — last{N) < m — last{N) < TV — last{N) < TV because 
last{N) > 0. 

Now, let us show that: if z any point of the circle (0 < z < TV) then we 
have either {i.a} < {m.a} or {z.a} > {(to — last{N)).a}. 

By reductio ad absurdum and by cases: 

let us suppose that {to. a} < {z.a} < {(to — last{N)).a} 

— if z < TO then {to. a} — {z.a} + 1 > {m.a} — {(to — last{N)).a} + 1 
therefore {(to — z).a} > {last{N).a} which contradicts the definition of 
last, since {m — i) G Circle because 0 < m — i < N. 

— if TO < z then 

{to. a} — {(to — last{N)) .a} + 1 < {z.a} — {(to — last{N)).a} + 1 
therefore {last{N).a} < {(z + to — last{N)).a} 

which contradicts the definition of last, since (z + to — Tost (TV)) G Circle 
because 0 < z + to — last{N) < TV. 

In these two former cases {m.a} — {(to — last{N)).a} + I = {last{N).a} if 
{to. a} < {(to — last{N)).a}. 

As a is irrationnal and by definition of last we have {m.a} < {last{N).a} 
therefore {(to — last{N)).a} = {m.a} — {last{N) .a} + I and we have effec- 
tively {to. a} < {m.a} — {last{N).a} + 1, since {last(TV).a} < 1. 
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Remark 3. The fact of a is irrational is essential for showing that 
{m.a} yf {last{N).a}. Indeed, as in this case we have m yf last{N) therefore 
{m.a} yf {last{N).a}. Let us show this by contradiction. 

In order to do so, let us suppose {m.a} = {last{N).a}. 

Then {m.a} — {last{N).a} = 0 therefore {{m — last{N)).a} = 0 and as only an 
integer number has a fractional part equal to zero we have (m — la.st{N)).a = k, 
fc G IM from which we conclude that a = m-iast(N) "''^hich contradicts a irra- 
tionnal. 



□ 



Let us prove now the general case. 

Let us set for the rest of the proof M = first{N) + last{N). 

Lemma 5 (Relationship between N and M). N < M . 

Proof. 

By reductio ad absurdum. We suppose M < N and we show that, in this case, 
the point first{N) + last{N) is situated either before first, or after last, which 
contradicts their definition. 

Let us show, therefore, that either {{first{N) + last{N)).a} < {first{N).a} or 
{{first(N) + last{N)).a} > {last{N).a}: 

Let us consider the following cases: 

1. {first{N).a} + {last{N).a} < 1: 

since for N > 2 {first{N).a} > 0 we can write that 
{first{N).a} + {last{N).a} > {last{N).a} thus that 
{{first(N) + la.st{N)).a} > {la.st{N).a}. 

2. {first{N).a} + {last{N) .a} > 1: 

in the same way we can write, using the fact that 0 < {} < 1, that 
{first{N).a} + {last{N).a} — 1 < {first{N).a} thus that 
{{first(N) + la.st{N)).a} < {fir.st{N).a}. 



□ 



Lemma 6. first{N) = first{M). 

Proof. 

By definition of first, we know that for all a and b s.t. 0 < a < N and 0 < b < N 
we have that if {a. a} < {b.a} then a = (first{N)). 

Let us take N = M and a = (first{N)) and then we have for all b s.t. 0 < b < M 
if {{first{N)).a} < {b.a} then (first{N)) = {first{M)). 

Now, it is sufficient to show that {{first{N)).a} < {b.a} V6, 0 < & < M: 

For 0 < 6 < IV it is the definition of first (lemma 1). 

For N < b < M hy the reductio ad absurdum: let us suppose that 
{b.a} < {{first{N)).a} 

As b < M = first{N) + last{N) we have immediately that 
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b — first{N) < last{N) < N and b — last{N) < first{N) < N 

and by definition of first and last that {(6 — first{N)).a} < {last{N).a} and 

{first{N).a} < {(6 — last{N)).a}. 

Therefore we have, owing to the hypothesis of contradiction and to lemmas 1 
and 2 that: 

{b.a} — {first{N).a} + 1 < {last{N).a} and 
{first{N).a} < {b.a} — {last{N).a} + 1 which implies that 
{last{N).a} + {first{N).a} — {b.a} — 1 = 0 thus that 

{{b — first{N)).a} = {last{N).a}. But, as shown in Remark 3 this equality 
compels a to be rational if & — first{N) yf last{N) which is the case. 

□ 

Lemma 7. last{N) = last{M). 

Proof. 

Symmetrical proof with the previous. 

□ 

Lemma 8. For all n s.t. 0 < n < N — first{N) and last{N) < n < N we have 
after{N,n) = after{M,n). 

Proof. 

We proceed by cases: 

1. Case 0 < n < iV — first{N): 

Using the irrationality of a (counterpart of remark 3) we have that to prove 
this lemma is equivalent to {after{N, n).a} = {after{M, n).a} which is also 
equivalent to 

{after{N,n).a} < {after{M,n).a} and {after{M,n).a} < {after{N,n). 
a}. 

Let us proceed by cases and by reductio ad absurdum: 

— Case {after{N,n).a} < {after{M,n).a}: 

Let us suppose that {after{N,n).a} > {after{M,n).a}. 

According to lemma 3, we show immediately the following property: 

ViV G IN,Vn, fc G Circle, if {n.a} < {k.a} and if {k.a} yf {after{N,n). 
a} then {after{N,n).a} < {k.a}. Let us use this property with 
k = after{M,n). We directly get the contradiction on condition that : 

— n G Circle i.e. 0 < n < N; true by case 1. 

— after{M,n) G Circle i.e. 0 < after{M,n) < N true using lemma 4. 

— {n.a} < {after{M,n).a} by definition of after (lemma 3 and defini- 
tion 1) -I- lemma 4 (in order to show that after{M,n) yf 0). 

— {after{M, n).a} yf {after{N, n).a} true by hypothesis of contradic- 
tion. 

— Case {after{M,n).a} < {after{N,n).a}: 

Let us suppose that |a/ter(M, n).a| > {after{N,n).a}. We use the 
same property taking k = after{N ,n) and N = M (except in k). 

2. Case last{N) < n < N: the proof is done with the same way. 

□ 
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For n situated in the third gap, the value of after{N, n) is given from the 
following lemma : 

Lemma 9. For all n, N — first{N) < n < last{N) there does not exist 
k € Circle s.t. {n.a} < {k.a} < {{n + first{N) — last{N)).a} . 

Proof. 

Reduction ad absurdum. 

Let us suppose there exists one k G Circle s.t. 

{n.a} < {k.a} < {{n + first{N) — last{N)).a}. 

This k verifies one of the three following cases (total order on the real numbers): 

1. if {k.a} < {after{M.n).a}: 

then {n.a} < {k.a} < {after{M.n).a} which contradicts the definition of 
the function after. 

2. if {k.a} = {after{M.n).a}: 

according to lemmas 4 and 6 after{M,n) = n + first{N). But, as a is 
irrationnal, we ought to have k = n + first{N) which contradicts the hypo- 
thesises n < last{N) and k < N (using lemma 5). 

3. if {k.a} > {after{M.n).a}: 

we use the already seen property \/N G IN,Vj, A: G Circle, if {j.a} < {k.a} 
and if {k.a} yf {after{N,j).a} then {after{N, j).a} < {k.a} with N = M, 
j = n + first(N). 

Then we have, using principally lemma 4 that 

{{n + first{N) — last{N)).a} < {k.a} which contradicts the hypothesis. 

□ 



Proof of Theorem 2 

Let us suppose that the circle includes M points. Then, we know how to 
show the theorem (lemma 4). Now, It is sufficient “to remove” the M — N points 
which are too many. 

1. if 0 < n < — first{N) then: 

according to lemma 5 we have 0 < n < N — first{N) < last{N). Using 
lemmas 6, 7, 8 and 4 we immediately get the result. 

2. if iV — first{N) < n < last{N) then: 

using lemma 9, we show that the M — N points from N do not exist and by 
definition of after (lemma 3 and definition 1) we get the result. 

3. if last < n < N then: 
as in case 1. 



□ 



Conclusion 

The proof given in this paper has been developped from a proof completely 
formalized in the system Coq [BB-l-97]. 
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The Advantages of a Formal Proof 

With a mathematical theorem such as this, the interest is twofold: the first 
consists in indicating the possible limits of the proof assistance system in order 
to improve it; second, is the emphasizing the basic mathematical properties or 
hypotheses used implicitly during the demonstration. 

This proof is based on geometrical intuitions and the demostration of these 
intuitions often requires, for example, basic notions about the fractional parts. 
Even so, these notions are neither easy to formalize nor to prove in a system 
where real numbers are not naturally found, unlike other types which can be 
easily defined inductively. So, one challenge was to prove this theorem from a 
simple axiomatization of the real numbers. The formulation of real numbers used 
for this will be discussed further. 

Throughout this work, we confirmed that the Coq proof assistant system 
allows us to work out some purely mathematical proofs. For more details, see 
[MAY99]. 

Moreover, it is interesting to notice that the theorem shown is, in some sence, 
stronger than that which was stated initially. Indeed, not only do we show that 
there are at most three different lengths of gaps, but we can also give their value 
and their place on the circle. This modified statement is due to [RAV88]. 

From the proof completely formalized in Coq, we can, for instance, compare 
this informal proof resulting from the formal proof with that of Tony van Ra- 
venstein. 



Properties about IR 

— Two possibilities exist to describe the real numbers: we can construct the 
reals or axiomatize them. We chose an axiomatical development for reasons 
of simplicity and rapidity. We can refer to [LAN71] and [LAN51] for con- 
structions from Cauchy’s sequences or Dedekind’s cuts. Most properties of 
the real numbers (commutative field, order, the Archimedian axiom) are first 
order properties. On the other hand, the completeness property is a second 
order property, as it requieres to quantify on the sets of real numbers. In- 
stead of this axiom, we can put an infinity of first order axioms, according to 
which any odd degree has a root in IR. Hence, we get the ’’real closed field” 
notion. We thus chose axiomatization at the second order based on the fact 
that IR is a commutative ordered Archimedian and complete field. 
For these notions, we based our work on [DIE68] and [HAR96]. 

— The formal proof showed us that the axiom of completeness of the real 
numbers was not necessary. Therefore, the statement and the proof of this 
theorem are true in all the commutative ordered and Archimedean fields. 
Archimedes’ axiom could also be replaced by a weaker axiom making it 
possible to define only the fractional part. 

In the same way, E. Fried and V.T.Sos have given a generalization of this 
theorem for groups [FR-l-92]. 
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The Fractional Parts 

Many intermediate lemmas had to be proved. The formal proof, for instance, 
made it possible to identify four lemmas concerning the fractional part, which 
had remained implicit in Tony van Ravenstein’s proof, and are at the heart of 
the proof. 

— if {rl} + {r2} > 1 then {rl + r2} = {rl} + {r2} — 1 

— if {rl} + {r2} < 1 then {rl + r2} = {rl} + {r2| 

— if {rl} > {r2} then {rl — r2} = {rl} — {r2} 

— if {rl} < {r2} then {rl — r2} = {rl} — {r2} + 1 



Degenerated Cases 

The formal proof makes it possible to separate the degenerated cases such 
that N = 0, N = 1 and a rational, which can be passed over in silence during 
an informal proof. 



a. Irrational 

a irrational is hypothesis used by Tony van Ravenstein, but the formalization 
shows precisely where this hypothesis is used (cf remark 3). In particular, if a 
is rational, the points can be mingled, and after, for example, is not then a 
function. 



First(N) and First(M), Last, after 

During Tony van Ravenstein’s informal proof, we see that we can tolerate an 
inaccuracy in the dependence of first, last and after to N or M . Although this 
is not a mistake, the formal proof showed the necessity of proving these lemmas, 
which are not trivial (lemmas 6, 7 and 8). The formal proof makes it possible to 
say precisely where those lemmas are used. 



Use of the Classical Logic 

The formal proof carried out in the system Coq - from the axiomatization of 
real numbers as a commutative, ordered, archimedian and complet field - is a 
classical proof seeing that an intuitionist reading of the total order involves the 
decidability of the equality of the real numbers, which obviously, is not the case. 
Therefore, we can raise the question of the existence of a constructive proof of 
the three gap theorem. 

We could probably give an intuitionistic proof for each of the two cases, accor- 
ding to whether a is rational or irrational because we know exactly the length of 
the gaps between two points of the circle. But, the two cases cannot be treated 
at the same time. Thus in our proof it should be supposed that a is rational or 
not and we do not see, so far how to avoid this distinction. 
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Abstract. We describe a formalisation of the Curry-Howard-Lawvere 
correspondence between the natural deduction system for minimal logic, 
the typed lambda calculus and Cartesian closed categories. We formalise 
the type of natural deduction proof trees as a family of sets F \- A inde- 
xed by the current assumption list F and the conclusion A and organise 
numerous useful lemmas about proof trees categorically. We prove ca- 
tegorical properties about proof trees up to (syntactic) identity as well 
as up to /3?7-convertibility. We prove that our notion of proof trees is 
equivalent in an appropriate sense to more traditional representations of 
lambda terms. 

The formalisation is carried out in the proof assistant ALF for Martin- 
Lof type theory. 



1 Introduction 

The background of the present paper is as follows. D. Cubric, P. Dybjer and 
P. Scott discovered an elegant categorical decision method for equality in the free 
ccc [8] . This method was based on extracting an algorithm from some basic cate- 
gorical facts related to the Yoneda lemma. To this end it was necessary to develop 
a certain version of constructive category theory, so called P-category theory, 
which can be formalised inside a constructive metalanguage such as Martin-L6f 
type theory. It was also necessary to build various P-categories from the syntax 
of the typed lambda calculus. 

The paper by Cubric, Dybjer, and Scott was written in an ordinary ma- 
thematical style and did not discuss formalisation in Martin-L6f type theory in 
detail. We have now succeeded in formalising a major part of Cubric, Dybjer, 
and Scott [8] and thus is close to having verified the informal claims of that 
paper. 

The present paper is an outgrowth of our formalisation effort. A key issue 
was how to formalise typed lambda terms inside Martin-L6f type theory and 
how to organise the necessary lemmas about them in a good way. 

We shall here show how to formalise the formulas-as-types-as-objects cor- 
respondence (“Curry-Howard-Lawvere”) inside Martin-L6f type theory, a me- 
talanguage which itself is based on the formulas-as-types correspondence. We 
consider the following basic part of the correspondence: 
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© Springer- Verlag Berlin Heidelberg 2000 
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minimal logic 


typed A-calculus 


cccs 


formulas 


types 


objects 


natural deduction 


lambda terms 


arrows 


proof trees 






convertibility 


convertibility 


equality 


of proof trees 


of lambda terms 


of arrows 



Let us first recall how these notions are typically presented informally in 
textbooks. To explain what a natural deduction proof tree is, one gives a number 
of rules for building such proof trees. An example is the — ^--introduction rule 

[^] 

B 

B 

In general a proof tree may contain assumptions, such as [A] above, and one 
has to explain what it means for an assumption to be discharged. The intention 
is to give enough informal explanations so that the reader will be able to build 
correct proof trees and to distinguish correct proof trees from incorrect ones. 

It is clear that such an informal explanation can be modelled formally in- 
side a standard mathematical metalanguage such as set theory, where relevant 
notions such as “tree” and “inductively defined collection” have well-known re- 
presentations. But it is also clear that an informal presentation usually leaves 
many choices of such representations open. In traditional logic, not much at- 
tention has been paid to such choices. However, they are a central concern to 
someone who does formal metamathematics (perhaps on a machine). We shall 
not discuss them in detail in this paper. In this paper we shall use Martin-L6f 
type theory as a metalanguage. 

Returning to natural deduction proof trees, we note that it has become in- 
creasingly common to replace the traditional notation for natural deduction 
proofs, as shown above, by a sequent notation, which makes the current list of 
undischarged hypotheses explicit. With this notation the rule of — ^--introduction 
becomes 

r,Ah R 

B'r B 

The introduction of this notation is helpful for mechanisation. We can view it 
either as a more explicit presentation of the “same” mathematical concept or a 
different, but equivalent, concept. The following obvious (?) point is important 
for formal metamathematics: if we, by formal proof, formal definition, etc., mean 
a proof inside a given metalanguage, then a textbook definition of a “formal” 
system is informal, except in the unusual case where a specific metalanguage is 
given and the formalisation of the system inside that metalanguage is given in 
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complete detail! So, even if the sequent-style presentation of minimal logic is as 
rigorous as anyone can require, it is still not formal. The process of formalising 
such an informal notion is, as all mathematical modelling, a subjective and 
experimental activity. 

Consider now instead lambda terms, which according to the Curry-Howard 
correspondence can be used to denote natural deduction proofs. For example, 
the rule of — ^--introduction in the typed lambda calculus becomes 

[x : A] 

b : B 

Xx.b : A ^ B 

where the term b, depending on x, represents the hypothetical proof of B from 
A, and the term Xx.b represents the proof of A ^ B obtained by using — 
introduction on the hypothetical proof. 

Again, as for the proof trees, when we want to formalise a textbook pre- 
sentation of the typed lambda calculus, we have to make various choices. For 
example, should we first introduce a specific set of raw terms and then define 
typing as a relation between raw terms, types and contexts? Or should we try 
directly to inductively define a family of sets of terms, indexed by the types? We 
will show that these two ways are equivalent in the sense that we can build two 
isomorphic categories with families from such terms module /Jry-conversion. 

The rest of the paper is organised as follows. In section 2 we give the formal 
definitions (inside Martin-Ldf type theory/ALF [16,14] ) of minimal logic. In 
section 3 we introduce the notion of a simple category with families. In section 
4 we show some properties of minimal logic structured as properties of three 
P-categories with families: (V,=) of proofs (up to syntactic equality) of the 
assumption rule; (F,=) of proof trees (up to syntactic equality); and (F,~) of 
proof trees up to /3?7-convertibility. In section 5 we formalise typed A-calculus 
based on raw terms and prove that the three corresponding categories with 
families are isomorphic to those in section 4. 

The ALF-files relating to the paper can be retrieved from the ftp-directory 
ftp : //ftp . cs . Chalmers . se/pub/users/qiao/CHM/. 

2 Formalising Natural Deduction Proof Trees 

2.1 Formulas and Contexts 

Let A be a set of atomic formulas. The set Formula of formulas of minimal logic 
is then inductively generated by the following rules: 

X : X A,B'. Formula 

atom(a;) : Formula A ^ B : Formula 

For simplicity we have assumed only one atom, i.e X = {O}. In ALF the 
definitions of the set Formula (Type is used instead of Formula) is given as the 
following sequence of typings 
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Type e Set 
O E Type 

Arrow e (Type; Type) Type 

The set Context contains “snoc” -lists of formulas inductively generated by 
the following rules: 



[] : Context 



r : Context A : Formula 

F; A : Context 



Context is given as follows in ALF : 

Context E Set 

Nil E Context 

Cons E (F E Context; A e Type) Context 

Here {A)B is ALF’s notation for the type of functions from A to B. (Ag; Ai)B 
is an abbreviation of {Aq){Ai)B, the type of binary curried functions from Aq 
and Ai to B. Furthermore, ALF uses (x : A)B[x] for the dependent function 
type, that is, the type of functions which map an object x : A to an object of 
B[x], where B[x] is a type which may depend on x. The notation (xg : Ag;xi : 
Ai[xo])H[xg, xi] is an abbreviation of (xg : Ag)(xi : Ai[xg])H[xg, xi], the type of 
binary curried functions which map an xg : Ag and an xi : Ai[xg] to an object 
of H[xg,Xi]. 



2.2 The Assumption Rule 

In the sequent-style presentation of minimal logic, the assumption rule lets us 
conclude that 

Th A 

provided A is one of the formulas in F . 

Below, we shall formally define the family of sets Term(T, A) of natural deduc- 
tion proof trees with conclusion A and assumption list F. One of its introduction 
rules will be the assumption rule in the following form: 

V : Var(T, A) 
var(x) : Term(T, A) 

where Var(T, A) is the set of proofs that A is a member of the list F. To improve 
readability we borrow the traditional infix notation and introduce the definitions 

AgF = Var(r, A) 

T h A = Term(r, A) 

so that the assumption rule can be rewritten as 

v: Ae F 
var(x) : F \- A 

Read: “if w is a proof that A is a member of F, then var(w) is a proof that A 
follows from F by assumption.” 
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The membership relation is inductively generated by the following two rules 

B : Formula v : A G B 
Or, A ■ ^ A) ^r,A,B (v) ■ A G {B; B) 

In ALF, the family A G B \s formalised as follows: 

Var e (F e Context; A e Type) Set 

Zero e (F e Context; A e Type) Var(Cons(F,A), A) 

Succ e (F e Context; A,B e Type; Var(F, A)) Var(Cons(F, B), A) 

To make it more readable, like in the informal notations, we will suppress 
some uninteresting arguments in the constructors Zero and Succ: 

Var e (F e Context; A s Type) Set 
Zero 6 Var(Cons(F, A), A) 

Succ s (Var(F, A)) Var(Cons(F, B), A) 



2.3 Proof Trees 

The following rules inductively generate the indexed family of sets of proof trees: 

v: AgB h-.B-.A'rB c.B'rA^B a ■. B 'r A 

var(u) \ B \- A \{b) : B \- A ^ B app(c, a) : B \- B 

The family T h A is implemented in ALF in the following way: 

Term e (F e Context; A s Type) Set 
Variable e (v e Var(F, A)) Term(F, A) 

Lambda e (& e Term(Cons(F, A), B)) Term(F, Arrow(A, B)) 

Applieation e (u e Term(F, Arrow(A, B)); v e Term(F,A)) Term(F, B) 

Again, we have suppressed some arguments of the constructors and the cor- 
responding premises of the inference rule. We will often do the same in the sequel 
without mentioning it. 



3 Simple Categories with Families 

We shall prove various categorical properties of our formal natural deduction 
proof trees. There are several reasons for this. Firstly, it turns out that many of 
the operations and lemmas needed for developing the meta-theory of natural de- 
duction have natural categorical interpretations. In other words, category theory 
can be used as a structuring device for a library of such lemmas. Secondly, a com- 
parison with categorical notions will highlight the “pseudo-categorical” nature 
of our formalisation. Thirdly, we want to show that there is more to say ab- 
out the correspondence between categories, typed lambda calculus and natural 
deduction proof trees, than the well-known correspondence between the typed 
lambda calculus and Cartesian closed categories. 

The point is that some of these properties will hold for proof trees up to 
syntactic identity, others will hold up to /^ry-convertibility. It turns out that 
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these properties can be organised in an elegant categorical way, using the notion 
of category with families (cwf) [10]. 

Cwfs were introduced by Dybjer [10] to be an appropriate categorical notion 
of model for type-dependency. Similar notions have also been considered: Cart- 
mell’s eontextual categories [5], Seely’s locally Cartesian closed categories [20], 
and Pitts’ categories with fibration [18]. Cwfs are closer to the traditional syntax 
of dependent types, and at the same time they are completely algebraic and have 
a nice categorical description. 

A cwf has a family Ty(C) of types in context F as part of its structure. 
Since we here do not consider dependent types, it suffices to consider cwfs, 
where Ty(I’) does not depend on F. We call such cwfs “simple”. Similar notions 
are Obtulowicz’s Church algebraic theory [17], Jacobs’ indexed categories [13], 
Altenkirch, Hofmann and Streicher’s contextual CCCs [2], and etc. 

Definition 1 A simple cwf consists of the following parts: 

— A base category C . Its objects are called contexts and its morphisms are called 
substitutions. We write A ^ F for the hom-set of morphisms (substitutions) 
with source A and target F. 

— A set Ty of types. 

— A presheaf Tm.^ : C°p — >■ Set for each type A. The object part of the functor 
associates to a context F the set Tm'^(A) (or Tm(A, A)J of terms and the 
arrow part of the functor associates to a substitution 7 the operation which 
applies j to a term a to get the result of the substitution a[7]. 

— A terminal object [] of C called the empty context. 

— A context- extension operation which to a context F and a type A associates 
a context F;A. Furthermore there is a substitution p : F; A ^ F (the first 
projection) and a term q in the set Tm(A ; A, A) (the second projection) . The 
following universal property holds: for each context A, substitution 7 : A — 
F, and term a : Tm{A,A), there is a unique substitution 0 = {j,a) : A ^ 
F ; A, such that p o 6* = 7 and q[9] = a. 

Simple cwfs can be axiomatised by taking the axiomatisation of general cwfs 
from Dybjer [10] and removing type-dependency. More information on cwfs can 
be found in Hofmann [11]. 

We will refer to a cwf as a structure (C,Ty,Tm). 

V-cwfs. When we formalise category theory in Martin-L6f type theory we shall 
follow Cubric, Dybjer, and Scott [8] and use P-categories. A 'P-category is a 
category where we replace the equality on arrows by a partial equivalence relation 
(per) systematically. Other notions in category theory will be prefixed by V- 
when they are used in the context of P-categories. 

A cwf (C,Ty,Tm) is called a P-cwf if the base category C is P-category and 
the set Tm(P, A) is a P-set, i.e. a set with a partial equivalence relation. 

We will refer to a P-cwf as a structure (C,~,Ty,Tm) or simply as a “pair” 
(C, ~) of the base category when we want to emphasise the per-structure on 



arrows. 
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Definition 2 Let {C,TyQ,Tmc) and (D, Ty^, Tniu) he the two V-simple cwfs. 
A morphism from (C, Ty^, Tmc) to (D, Ty^,, Tmu) is a triple (F,T,0): 

F : C ^ D is a V -functor ; 

T : Tjq — >■ Ty^, is a function and 
9 : Tm.Q — >■ Tm;^ is a V -natural transformation, i.e. 

9{a[f]) ~ 0{a')[F{f')] if a ^ a' and f ~ /', where the notation ~ is overloa- 
ded. 

Furthermore, the terminal object and context comprehension are preserved 
up to isomorphism. 



Definition 3 Let (C, Ty<^, Tmc) and (D, Ty^,, Tmu) be two V-cwfs, 

{F,T,9) : (C',Ty<-,Tmc) (D, Ty^,, Tmu) and 

{F',T',9') : (D, Ty^, Tm^i) — >■ (C, Ty^, Tm^/) be a pair of morphisms. 

These morphisms form an isomorphism of cwfs if and only if 

1. F and F' form an isomorphism between the V -categories C and D. 

2. for any A € \Tyc\, T'{T{A)) - A and for any A € |Ty^|, T(T'(A)) - A 

3. for any a G |Tm^(_T)|, 9'{9{a)) ~ a and 
for any a € |Tm;^(/^)|, 9(9'(a)) ~ a 

where ~ refers to the per on the corresponding V-set. 

It is generally agreed that it is too restrictive to stipulate that the category 
laws hold up to the built-in identity of Martin-L6f type theory. This is because 
there is no quotienting operation. Most authors who have developed category 
theory inside Martin-L6f type theory have therefore used what could be called 61- 
categories, where one requires a total equivalence relation on hom-sets. However, 
the extra generality of P-categories was crucial for the categorical normalisation 
proof of Cubric, Dybjer, and Scott[8]. 

To implement a simple V-cwi in ALT one defines a sequence of typings: 

Pcwf = [Cont e Set; 

ArrCon e {Cont; Cont) Set; 

EqArr e (F, A e Cont; ArrCon{T, A); ArrCon{T, A)) Set; 

Cid e (F e Cont) ArrCon{r, F); 

Ccom e (F, A, F e Cont; ArrCon{A, F); ArrConbT, A)) ArrCon{r, F); 

Typ e Set; 

Tm e (Cont; Typ) Set; 

Sub e (F, A G Cont; A G Typ; Tm(A,A); ArrCon{r,A)) Tm{T,A); 

] 

An ALF-context can be used in two ways: one can both instantiate such 
a context to obtain a particular V-cwi, and assume it and reason from the 
assumption that one has an arbitrary V-cwi (as in the proof of freeness) . 
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4 Categorical Properties of Proof Trees 

4.1 The Assumption Rule 

We shall now define the V-cwi (V, =), the terms of which are proofs of the 
assumption rule up to the syntactic equality. 

We define the set Z\ D T of sequences of proofs of the assumption rule. The 
reason for the notation is that the elements Z\ D T may be thought of as proofs 
that the formulas in T is a subset of those of A. These proofs will also serve as 
arrows of the base category of (V,=). The introduction rules are 

A : Context vs : A A F v : A G A 

0 : Z\ D [] (vs,v) ■. A A r- A 

In ALF AA r \s represented by VarList(Z\, T): 

VarList e (A , F e Context) Set 

Nilvar e (A e Context) VarList(A , Nil) 

ConsVar e (vara e VarList(A , F); v e Var(A , A)) VarList(A , Cons(F, A)) 

Two arrows vs\,vs2 are equal, denoted as = VS2, if they are identical 
point- wise: 

EqualVars g (vsi, vs2 g VarList(A , F)) Set 

IntroNilVars G EqualVars(Nilvar(A ), Nilvar(A )) 

IntroConVars e (pi e EqualVars(vi7, Vi2); 

P2 e I(Vi, V2) 

) EqualVars(ConsVar(vji, vi), ConsVar(vi2, V2)) 

where the identity type I is introduced as follows: 

I G (a, b e A) Set 
r G (a G A) I(a, a) 

Moreover, we define a few operations which are parts of the structure of a 
V-cwi. 

First we have the operation which maps v : A G F and vs : A A F to 
u[t;s] : Ag A: 

ProjectVars g (vi G VarList(A, F); v g Var(F, A)) Var(A, A) 

ProjectVars(ConsVar(vara, vj), Zero) = vj 
ProjectVars(ConsVar(vara, vj), Succ(/i)) = ProjectVars(vara, h) 

Then we have the composition operation: 

CompositVars g (vj g VarList(<l), A ); wi g VarList(A , F)) VarList(<l>, F) 

CompositVars(vi, Nilvar(_)) = Nilvar(O) 

CompositVars(vj, ConsVar) vara, v)) = ConsVar) CompositVars(vi, vara), ProjectVars) vj, v)) 
where the symbol _ is an argument which ALF can infer. 

Finally, the identity id^ : F A F and the first projection Pp ^ : F; A A F: 

IdVars G (F g Context) VarList(F, F) 

IdVars(Nil) = Nilvar(Nil) 

IdVars(Cons(F 1, A)) = ConsVar(LiflVars(A, IdVars(F i)). Zero) 
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ProjecVars e (F e Context; A e Type) VarList(Cons(F, A), F) 

ProjecVars(F, A) = LiftVars(A, IdVars(F)) 

where LiftVars(A, vs) extends the assumption list F of vs by adding a formula 
A on A: 

LiflVars e (A e Type; vs e VarList(F, A )) VarList(Cons(F, A), A ) 

LiftVars(A, Nilvar(-)) = Nilvar(Cons(F, A)) 

LiftVars(A, ConsVar(vara, v)) = ConsVar(LiftVars(A, vars), Succ(v)) 

Theorem 1 (V, =, Type, Var) is a simple V-cwf, which we will refer to (V,=). 
Furthermore, for any V-cwf T> and any function J : Type — >■ Ty^, there is a 
unique (up to V-natural isomorphisms) V-cwf -morphism |— ] : (V, =) — >■ T>. 



4.2 Proof Trees up to Syntactic Identity 

We shall now define the P-cwf (F,=), the terms of which are proof trees of 
minimal logic up to syntactic identity. 

We first define the sets Z\ — >■ T of sequences of proof trees, which will be the 
substitutions of (F,=). The introduction rules are 

A : Context as : A ^ F a : A[- A 

0 : Z\ — >■ [] (as, a) : A ^ F; A 

In ALF TermList(Z\, A) implements A ^ F: 

TermList e (A , F e Context) Set 
NilList e TermList) A , Nil) 

ConsList e {as e TermList(A, F); a e Term(A,A)) TermList(A, Cons(F,A)) 

The equality ’=’ is defined by the identity type component- wise: 

lonFx e {Isj, tS2 e TermList(A , F)) Set 
IntroNillonFx e IonFx(NilList, NilList) 

IntroConlonFx e {pi e IonFx(tii, tS2); 

P2 e l(tj, t2) 

) lonFx(ConsList(tei, tp), ConsList(te2, f2)) 

Moreover, we define a few operations which are part of the structure of a 
P-cwf. 

The substitution operation — [— ] is defined by the following constant: 

Subst G (ts G TermList(F, A ); b G Term(A , B)) Term(F,B) 

Subst(ConsList(fes, b), Variable(Zero)) = b 

Subst(ConsList(fes, b), Variable(Succ(/i))) = Subst(te, Variable)/!)) 

Subst)fi, Lambda)i>i)) = Lambda)Subst)Lift)ti), bi)) 

Subst)fi, Application)!!, v)) = Application)Subst)te, u), Subst)te, v)) 

where Lift is defined below in such a way that the bound variable Variable(Zero) 
in b remains unchanged and other free variables in ts are lifted because they are 
pushed inside one A: 

lift G )n G N; Iterm)!!)) lterm)succ)!!)) 

lift = [n, /!]rename)!!, h, succ)«), projec)n)) 
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where ExtendCon(A, bs) applies the weakening rule LiftTerm(A, — ) to bs point- 
wise: 

LiftTerm e (A e Type; b e Term(r,S)) Term(Cons(r, A), B) 

LiftTerm(A, fo) = SubVars(ProjecVars(r, A), &) 

and the operation SubVars(vs, b) (the Thinning Lemma) can be read as: if we 
have a proof vs : A A F and a proof tree h : F \- B, then we can construct a 
proof tree SubVars(vs, b) ■. A \- B-. 

SubVars e (vs e VarList(A , F); b e Term(r, B)) Term(A , B) 

SubVars(ConsVar(vare, v), Variable(Zero)) = Variable(v) 

SubVars(ConsVar(vars, v), Variable(Succ(/i))) = SubVars(vars, Variable(/!)) 

SubVars(vi, Lambda(l?/)) = 

Lambda(SubVars(ConsVar(LiftVars(A, vi), Zero), bi)) 

SubVars(vi, Application) m, v)) = Application(SubVars(vi, u), SubVars(vi, v)) 

Then the composition is defined as 

CompositTms e (s e TermList(<J), A ); f e TermList(A , F)) TermList(<I), F) 

CompositTms(i, NilList) = NilList 

CompositTms)^, ConsList)fcs, b)) = ConsList)CompositTms)i, bs), Subst).?, b)) 

The identity and the first projection are defined as: 

Fx_Id e )F e Context) TermList)F, F) 

Fx_Id)F) = mapVars)F, F, IdVars)F)) 

Fx_p s )F s Context; A e Type) TermList)Cons)F, A), F) 

Fx_p)F,A) = mapVars)Cons)F, A), F, ProjecVars)F, A)) 

where 

mapVars e )F, A e Context; vs e VarList)F, A )) TermList)F, A ) 
mapVars)F, _, Nilvar)-)) = NilList 

mapVars)F, -, ConsVar)vars, v)) = ConsList)mapVars)F, A j, vars), Variable)v)) 

Theorem 2 (F, =, Type, Term) is aV-cwf. 

Cubric, Dybjer, and Scott also utilized that the base P-category of (F,=) 
had some further categorical properties, which we have formalised. 

Theorem 3 The base category o/ (F, =, Type, Term) has finite V -products (F x 
A) and “pre-exponentials”, i.e. given objects F,A we have an object A^ ; an 
evaluation arrow e : A^ x F ^ A; and a currying operation 7 * : T — >■ 0'^ for 
'Y : F X A ^ 0 such that 7 * o = (7 o (5 o fst, snd))* . (Note that “=” denotes 
syntactic identity here, so that we cannot expect to have proper exponentials.) 



4.3 Categorical Properties of Proof Trees up to /3»7-Equality 

We shall now consider proof trees up to /^^-convertibility. This is a family of 
binary relations ^r,A (indexed by contexts F and formulas A) between proof 
trees in T h A. It is inductively generated by the following rules (where we have 
dropped the indices of ~): 
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Per-rules: 

a ^ a' 
a' ^ a 

Congruence: 

var(w) ~ var(u) 

/3-rule: 



a ^ a' a' ~ a" 

a ~ a" 

d a ^ a! 

app(c, a) ~ app(c/, o') 



? 7 -rule: 



h-.r\Ad B a-.Bd A 
app(A(6),o) ~ 6[(FxJd, o)] 



c-.Bd A^B 

c ~ A(app(LiftTerm(c), var(O))) 



The f3rj equality is implemented as: 
EqualTerm e (q, t2 e Term(r, A)) Set 



b^b' 

m - m 



Theorem 4 Let (F, Type, Term) be defined in the same way as (F,=,Type, 
Term) except that the per on terms is fr]- convertibility and the per on substi- 
tutions is j3r]-convertibility extended point-wise. Then (F, Type, Term) is a 
V-cwf. 



We have also formalised the proof of the following theorem, which was used 
by Cubric, Dybjer, and Scott [8]. 

Theorem 5 The base category (F, ~) is a free V-ccc. 

5 The Correspondence between Different Formalisations 

In this section we shall show the equivalence between our representation and a 
representation using raw terms a la de Bruijn. 

5.1 Bounded de Bruijn Indices 

We will define raw terms using bounded de Bruijn-indices which make the num- 
ber of free variables explicit [9] . 

Our bounded de Bruijn-indices are elements of finite sets N'„ indexed by 
n G N with the following introduction rules: 

n : N n : N / : N'„ 

0' : N',(„) s'(3) : N',(„) 

The family of bounded de Bruijn-indices is formalised directly in ALF : 
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N’ e (N) Set 

0’ e (« e N) N’(succ(n)) 
s’ e (me N; N’(n)) N’(succ(n)) 

where the set N is formalised as: 

N e Set 
zero e N 
succ e (« e N) N 

In this section we will define a V-cwi {^' typa, =) of bounded de Bruijn indices, 
the analogue of the (V,=), and prove that the cwf (N'iypa,=) is isomorphic to 
(V,=). We introduce typing rules for the bounded de Bruijn-indices i :: A G F, 
meaning that the index i G N'|p| (|_T| is the number of formulae in the context 
r) has type A in the context F : 

i:: AgF 

0' :: AgF;A s'{i) ::AgF;B 

These rules define a relation between contexts, types and de Bruijn-indices. 
The relation i :: A G F can be formalised by N'_typa(T, A, t) in the following 
way: 

N’_typa s (F e Context; A e Type; N’(Cont_N(F))) Set 
N’_typa(Cons(A, A;), A, 0’(-)) = I(Ai,A) 

N’_typa(Cons(A, Ai), A, s’(-, = N’_typa(A, A, /!;) 

where Cont_N(T) is the length of T. 

We will say that the index i is typable if i :: A G F. 

Now we can define the set {Si : N'|/-|)(t :: A G F) in ALF as follows: 

Term_Ns e (Context; Type) Set 

term_Ns e (F e Context; A e Type; i e N’(ContJSI(F)); N’_typa(F, A, ;')) Term_Ns(F, A) 
where an element of the set Term_Ns(T, A) is a pair of an index i G N'|/-| and a 
proof that the index i has type A under the context F, i.e. i :: A G F. 

A tuple of indices js = {ii, . . . ,in) '■ N'^ is typable from the context F to 
the context A, denoted as js :: T A A, if A = Ai, . . . , A„ and ik v. Ak G F for 
k = 1, . . . , n: 

js :: F A A i :: A G F 
0 ■■r2[] {js,i)-.-.FAA;A 

Then we define the family {Sjs : N'j^|)(js :: F A A) of typable lists of 
indices in ALF: 

TypaJSIs e (F, A e Context) Set 

typa_Ns e (js e Tuple(N’(Cont_N(F)), Con1_N(A )); Typa_NsJ(F, A ,ys)) Typa_Ns(F, A ) 
where Typa_Ns_2(T, A,js) implements the relation js :: F A A. 

Equality “=” on the set TypaJIs(r, A) is syntactic equality on the first part 
of the set: 

per_Ns e (F, A e Context; TypaJSfs(F, A ); TypaJSIs(F, A )) Set 
per_Ns(F, A , typaJSIs(/i, /i 2 ), typaJSfs(/Aj, ft)) = KJsJsi) 
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Theorem 6 (N't j,pa, =, Type, Term JNfs) is aV-cwf. Furthermore, thisV-cwfis 
isomorphic to the P-cw/ (V, =, Type, Var). 



We here outline how the isomorphism is proved in ALF. This is proved by 
establishing a pair of morphism between (V, =) and (N'typo, =) and by checking 
they form an isomorphism. 

First we define the morphism (H, T, morph_Var_N') from(V,=) to(N'typa, =), 
where 



— T is the identity function from Type to Type; 

— the natural transformation morph_Var_N' is defined as follows: 

morph_Var_N’ e (F e Context; A e Type; Var(F, A)) Term_Ns(r, A) 

morph_Var_N’(F, A, h) = term_Ns(r, A, VarJSf’(r, A, h), VarJSr_typa(F, A, h)) 

where Var JM'(T, A, 7) returns an untyped index for a typed index j : A G F: 

Var_N’ e (F e Context; A e Type; v e Var(F, A)) N’(Cont_N(F)) 

Var_N’(-,A, Zero) = 0’(Cont_N(F)) 

VarJS(’(_, A, Succ(/!)) = s’(Cont_N(F), Var_N’(F, A, h)) 

and VarJM'_typa(F, A, /i) is a proof that this untyped index is typable, i.e 
VarJM'(r,A,/i) :: AeF. 

— the functor H consists of the identity map on Context (the set of objects) 
and the following map on arrows: 

morph_Vx_Ns e (F, A 6 Context; VarList(F, A )) TypaJSls(F, A ) 
morph_Vx_Ns(F, A, h) = 

typa_Ns(VarList_Tup(F, A , h), VarList_Tup_typa(F, A , h)) 

where VarList_Tup applies VarJM' component-wise to vs € F A A and 
returns a tuple: 

VarList_Tup e (F, A e Context; 

Vi 6 VarList(F, A) 

)Tuple(N’(Cont_N(F)), Cont_N(A)) 

VarList_Tup(F, Nilvar(-)) = one 
VarList_Tup(F, ConsVar(vari, v)) = 

pair(VarList_Tup(F, A , vars), Var_N’(F, A, v)) 

and Varlist_Tup_typa(r, A, vs) is a proof object that the returned tuple is 
typable: VarList_Tup(T, Z\, us) :: F A A. 

In the other direction, we define a morphism (H', T, morph IN' War) from 
(N'typa,=) to (V,=), where 



— the natural transformation morphJM'_Var is defined as: 

morph_N’_Var e (F s Context; A e Type; Term_Ns(F, A)) Var(F, A) 
morph_N’_Var(F, A, term_Ns(_, = N’_Var(F, A, /ir) 
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N’_Var £ (F E Context; 

A E Type; 
p E N’(Cont_N(r)); 

N’_typa(F, A, p) 

)Var(F,A) 

N’_Var(Cons(F, -), A, O’(-), r(-)) = Zero 

N’_Var(Cons(F, A/), A, s’(-, /Ji), /i) = Succ(N’_Var(r, A, /ij, /j)) 

— the functor H' consists of the identity map on Context, and the following 
map on arrows, which is defined by extending N'_Var component- wise: 

morph_Ns_Vx e (F, A E Context; Typa_Ns(F, A )) VarList(F, A ) 
morph_Ns_Vx(F, A, h) = Ns^Tup_Vars(F, A , h) 

Ns^Tup-Vars e (F, A E Context; Typa_Ns(F, A )) VarList(F, A ) 

Ns^Tup_Vars(F, Nil, typa_Ns(ai, hj)) = Nilvar(F) 

Ns^Tup_Vars(F, Cons(F, A), typaJSls(pair(a, b), andlntr(li, ^2))) = 

ConsVar(Ns_Tup_Vars(F, F, typa_Ns(a, h)), N’_Var(F, A, b, /12)) 

Then we can check that these two morphisms form an isomorphism between 
(V,=) and (N'typo,=). 

5.2 Typable de Bruijn Raw Terms 

First we define A-terms as an inductive family indexed by N. represents 
A-terms with at most n free variables with the following introduction rules [9]: 

n : N i : N'„ n : N t : n : N s,t : A„ 

varr(f) : rl„ Xr{t) : yl„ appr(s,t) : A„ 

Iterm e (N) Set 

varl E (n E N; E N’(«)) Iterm(n) 
lami £ (n E N; lterm(succ(n))) Iterm(n) 
apl E (n E N; Iterm(n); Iterm(n)) Iterm(n) 

Then we define a typing relation on the raw terms: 
r \- t :: A = lterm_typa(T, A, t) 

meaning that the de Bruijn term t has type A in the context F : 

i-.-.Aer r;Aht::B F h t r. A ^ B F h t' :: A 

F h varr(i) :: A F \- Xr{t) :: A ^ B F \- appr(t, t') :: B 

Now we can define a family of sets {Ft : yl|/-|)(T Ft:: A), i.e. the family of 
typed terms indexed by contexts and types: 

Typa_lterm e (Context; Type) Set 

typa_lterm e {t e lterm(Cont_N(F)); lterm_typa(F, A, ;)) Typa_lterm(F, A) 
where lterm_typa(T, A, t) implements the typing relation F V- t w A, and an 
element of the set TypaJterm(T, A) is a pair of a raw term t G A^p^ and a proof 
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that r \- t V. A. We have suppressed the arguments F and A in the constructor 
typadterm. 

We now define two equalities =t and ~ on typed terms, which will correspond 
to the syntactic equality and /3ry-equality on proof trees respectively. 

Two typed terms of the same type are /3?7-equal if their first parts are /3ry- 
equal: 

Eq_beet_Typa_lterm 6 (Typa_Jterm(r, A); Typa_lterm(r, A)) Set 

Eq_beet_Typa_lterm(typa_lterm(a, /i2), typa_ltenn(ai, h)) = Eq_Jterm(Cont_N(r), a, af) 

where Eqdterm(m, a, b) implements the /3?7-equality on raw terms a ^ b: 

Eq_ltenn e (Iterm(n); Iterm(n)) Set 

reiLlterm e {a e Iterm(n)) Eq_Jterm(a, a) 

sym_lterm e {a, b e Iterm(n); Eq_lterm(a, b)) Eq_lterm(i), a) 

tran_lterm e (a, b, c e Iterm(n); Eq_lterm(«, b); Eq_lterm(fo, c)) Eq_lterm(a, c) 

betajterm e (a e lterm(succ(«)); 

b E Iterm(n) 

) Eq_lterm(apl(«, laml(n, a), b), sub(succ(n), a, n, pair(Id_lterm(«), b))) 
apcon_ltenn e (ai, «2 e Iterm(n); 

Eq_ltenn(ai, 02)', 
bi,b2 e Iterm(n); 

Eq_lterm(i>i, ^2) 

) Eq_lterm(apl(«, ai, bj), apl(n, U2, ^2)) 

sig_lterm s (a,b e lterm(succ(«)); Eq_lterm(a, b)) Eq_lterm(laml(n, a), laml(n, b)) 
etajterm E (a e Itenn(n)) Eq_Jterm(a, laml(n, apl(succ(n), a), varl(succ(«), 0 ’(n))))) 

We may expect to define the equality on typed terms (which corresponds to 
the syntactic equality on proof trees) on their first part of the typed terms, i.e. 

Eq_Typa_lterm’ e (Typa_lterm(r, A); Typa_lterm(r, A)) Set 
Eq_Typa_lterm’(typa_lterm(a, /i2), typa_lterm(ai, h)) = I(a, ai) 

However, this equality will be too coarse because it is not preserved by the 
map prft (see section 5.3), which maps a typed term in Typadterm(T, H) to a 
proof tree of the type F \- A. An example is the raw term a = {\x.y){\z.z). We 
have the following typing relation: 

y ■. A\- a A 

because y : A\- Xx.y :: {Ax — >• Ax) — >• A and 
y A\~ \z.z :: Ax — y Ax. 

On the other hand, we have y : A\- Xx.y :: {A 2 — >■ A 2 ) — >■ A and 
y : A\- Xz.z :: A 2 —1 A 2 

The map prft will give two different proof trees from these two different 
typing derivations. 

Instead, the appropriate equality =t can be defined recursively in ALF as 
follows: 
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Eq_syn_Typa_lterm e (tj, t2 e Typa_lterm(G, A)) Set 

Eq_syn_Typa_lterm(typa_lterm(varI(i), ft), typa_lterm(varl(b), fti)) = I(i, ;'/) 
Eq_syn_Typa_lterm(typa_lterm(lamI(ft2), ex 2 intr), typa_jterm(laml(ft2), ex 2 intr)) = 
Eq_syn_Typa_lterm(typa_lterm(ft2, ftj), typa_lterm(ft2, ftg)) 
Eq_syn_Typa_lterm(typa_lterm(apI(ft2, ftj), ex(o2, _ )), typa_lterm(apl(ft4, hs), ex(a, _ ))) = 
Sigma(I(ai, a), 

[ hg] And(Eq_syri_Typa_lterm(typa_lterm(ft2, ft) , 

typa_Jterm(ft4, conv_typa_lterm(I_Sub(Isym(ft5)), ft^, hi))), 
Eq_syn_Typa_lterm(typa_lterm(ft2, ft/), 

typa_Jterm(ft5, conv_typa_Jterm(Isym(ft 6 ), hg, ft«))))) 

where 

conv_typa_lterm e (l(A,B); a e lterm(Cont_N(G)); lterm_typa(G, A, a)) lterm_typa(G, S, a) 

We will prove that this de Bruijn representation of the typed lambda calculus 
is equivalent in a strong sense to the proof tree representation described earlier 
in the paper. To this end we will define the de Bruijn analogues of the P-cwfs 
(F,=) and (F,~) and prove that they are isomorphic P-cwfs. The isomorphism 
will be based on two maps, which will be defined in the next section, between 
the representation of proof trees and the representation of typed A-calculus we 
just defined above. 



5.3 The Map Strip and Its Inverse 

We define a function strip (see [7]) which maps a proof tree t of type T h T to 
a raw term by stripping its type information. In the other direction, we define 
a function prft which maps a raw term b such that F \- b :: A to a, proof tree 
prft (6, 6) of type F \- A, where 5 is a proof that F \- b :: A. 

The map strip is defined as follows: 

strip e (F e Context; A e Type; Term(r,A)) lterm(Cont_N(r)) 
strip(r. A, Variable(v)) = varI(VarJSf’(r, A, v)) 
strip(r, _, Lambda(ft)) = lamI(strip(Cons(r, A/), B, ft)) 
strip(r. A, Application(«, v)) = apl(strip(r, Arrow(A i. A), u), strip(r, A j, v)) 

It is proved that the relation F h strip(t) :: A holds for any t : Term(T, Al): 

strip_Term_typa e (F e Context; A e Type; t e Term(F, A)) lterm_typa(F, A, strip(F, A, t)) 

Therefore, we can define a family of maps strip^fT, a 1) : TermfT, a 1) — >■ 
Typa_lterm(r, A): 

strip’ e (F e Context; A e Type; Term(F, A)) Typa_lterm(F, A) 

strip’ = [F, A, ft]typa_Jterm(strip(F, A, ft), strip_Term_typa(F, A, ft)) 



Theorem 7 The map strip preserves the syntactic equality and /3rj-equality on 
proof trees: 

strip_pres_Eq_Typa_lterm e {a, be Term(F,A); 

l{a, ft) 

) Eq_syn_Typa_lterm(strip’(F, A, a), strip’(F, A, ft)) 
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strip_preserv_Eq g (i, i e Term(r,A); 

EqualTerm(i, f) 

) Eq_lterm(Cont_N(r), strip(r, A, i), strip(r, A, f)) 

The map prft : TypaTterm(T, Al) — >■ Term(_T, Al) is defined as follows: 

prft G (F G Context; A g Type; a e lterm(Cont_N(F)); lterm_typa(F, A, a)) Term(r,A) 
prft(F, A, varl(i), /!) = Variable(N’_Var(F, A, /i)) 

prft(F, laml(hj), ex 2 intr(a, b, andlntr(r(-), hs)}) = Lambda(prft(Cons(r, a), b, h], hj)) 
prft(F, A, apl(fti, ^2), Exists_intr(a, andlntr(/i, h4))) = 

Application(prft(F, Arrow(a, A), hi, h), prft(F, a, h2, h4)) 

Theorem 8 The map prft preserves the syntactic equality and /3r]-equality on 
the set of typed terms: 

prft_pres_Eq_Typa_lterm G (p, t2 g Typa_lterm(r, A); 

Eq_syn_Typa_lterm(fi, 12) 

) I(prft’(F, A, ti), prft’(F, A, 12}) 

prft_pres_beet G (ti,t2& Typa_lterm(r, A); 

Eq_beet_Typa_lterm(r, A, p, 12) 

)EqualTerm(prft’(F, A, tj), prft’(F, A, 12)) 

where prft' is the uncurried version of prft ; 

prft’ G (F G Context; A G Type; t e Typa_Jterm(F, A)) Term(F,A) 
prft’(F, A, typa_lterm(a, h)) = prft(F, A, a, h) 

To prove the above theorem, we need to assume the normalisation theorem: 

Normalizing G (F G Context; A G Type; t G Term(F,A)) Set 

Normalizing = [F, A, t]Exists(Term(F, A), [/i]And(Norm(F, A, h), EqualTerm(f, h))) 

where Norm(T, a1, h) implements that the proof tree h is in normal form. 

Theorem 9 The map prft is the inverse of the map strip.' 

strip ’_prft’ G (a G Typa_lterm(F, A)) Eq_syn_Typa_lterm(strip’(F, A, prft’(F, A, a)), a) 

prft’_strip’ G (f G Term(F, A)) l(prft’(F, A, strip’(F, A, f)), f) 



5.4 The Isomorphism of (F, =) ((F, ~)) and {Atypa,—t) ((^typo, ~)) 

First we extend the typing relation to tuples of raw terms: 

lterms_Typa G (F,A G Context; ai G Tuple(lterm(Cont_N(F)), Cont_N(A ))) Set 
lterms_Typa(F, Nil, as) = One 

lterms_Typa(F, Cons(A, A), pair(a, b)) = And(lterms_Typa(F, A, a), lterm_typa(F, A, b)) 

Then we define the family of sets {Sas : ylj^|)(as :: T — >■ A), which will be 
the set of arrows from T to A: 

Typa_lterms G (Context; Context) Set 

typa_lterms G (as g Tuple(lterm(Cont_N(F)), Cont_N(A )); 
lterms_Typa(F, A , as) 

) Typa_lterms(F, A ) 
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The equality on arrows are defined by the equality Eq_syn_TypaJterm com- 
ponent-wise. 

To obtain the P-cwfs we need to define a few operations on TypaJterms(T', 
A). These operations are based on the corresponding operations on A„ (see [9]). 
For example, we have the operation: 

sub e (« s N; g e Iterm(n); me N;^ e Tuple(lterm(m), «)) Iterm(m) 
sub(«, apl(-, h, hi), m,fs) = apl(m, sub(n, h, m,fs), sub(n, hi, m,fs)) 
sub(«, laml(-, h), m,fs) = 

laml(m, sub(succ(n), h, succ(m), pair(map(lift(m), n,fs), varl(succ(m), 0’(m))))) 
sub(n, varl(-, i), m,fs) = pi(lterm(m), n, i,fs) 

and the proof that the operation sub preserves typability: 

sub_is_typa e (F, A e Context; 

A e Type; 

bs e Tuple(lterm(Cont_N(r)), Cont_N(A )); 
lterms_Typa(r, A , bs); 
be lterm(Cont_N(A )); 
lterm_typa(A , A, b) 

) lterm_typa(r, A, sub(Cont_N(A ), b, Cont_N(F), bs)) 

Hence, the following operation is well defined: 

sub_Typa_lterm e (F, A e Context; 

A 6 Type; 

/ 6 Typa_lterms(F, A ); 
a e Typa_lterm(A , A) 

) Typa_Jterm(F, A) 

sub_Typa_lterm(F, A , A, typa_lterms(ai, h), typa_Jterm(ai, h])) = 

typa_lterm(sub(Cont_N(A ), aj, Cont_N(F), as), sub_is_typa(F, A , A, as, h, aj, h])) 

Similarly, we can define the composition operation: 

com_Typa_lterms e (Typa_lterms(A , F); Typa_lterms(<l), A )) Typa_lterms(<l), F) 
com_Typa_lterms(typa_lterms(ai, /i 2 ), typa_lterms(a.Si, h)) = 

typa_lterms(comp(ai, asj), com_Typa_lterms_typa(ai, asi, h 2 , h)) 

where comp is the composition on raw terms: 

comp s {bs e Tuple(lterm(n), p); as e Tuple(lterm(m), n)) Tuple(lterm(m), p) 
comp(fes, as) = map([h]suh{n, h, m, as),p, bs) 

and com_Typa_lterms_typa provides the proof object: 

com_Typa_lterms_typa e {as e Tuple(lterm(Cont_N(A )), Cont_N(F)); 

bs e Tuple(lterm(Cont_N(<I))), Cont_N(A )); 
lterms_Typa(A , F, as); 
lterms_Typa(<l), A , bs) 

) lterms_Typa(<l), F, comp(as, bs)) 

Other operations are defined similarly. 



Theorem 10 (Htypo, =t. Type, TypaJterm) is a V-cwf. Furthermore, {Atypa, 
=t, Type, Typadterm) and (F, =, Type, Term) are isomorphic V-cwf s. 
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The morphism from P-cwf (F,=) to P-cwf (Atypa,=t) is the triple (H,T, 
strip^), where the functor H on objects is the identity map and on arrows is 
extended by strip^ component-wise, and T is the identity map on Type. 

The morphism from (Atypa,=t) to (F,=) is the triple (H', T, prft'), where 
the functor H' on objects is the identity map and on arrows is extended by prft^ 
component-wise. These morphisms form an isomorphism between {Atypa,=t) 
and (F, =). These morphisms also apply to the following theorem: 

Theorem 11 (Ttypo, Type, Typadterm) is a V-cwf with same parts as 
{Atypa, =t, Type, TypaJterm) except the per on arrows are Pp-conversion 
Furthermore, (dtypa, Type, TypaJterm) and (F, Type, Term) are isomor- 
phic. 



6 Conclusion 

Many authors have proved theorems about simply and dependently typed lamb- 
da calculi inside type theory proof assistants, for example, Coquand [6], Bove [4] 
(in ALF), McKinna and Pollack [15], Altenkirch [1] (in LEGO), and B. Barras 
[3], Huet [12], Sai'bi [19] (in Coq). A variety of approaches have been used. 
The aim of our work is not only to suggest a formalization which we claim is 
particularly natural from a type-theoretic point of view, but also to abstract by 
using category theory, and to show what is involved in showing the equivalence 
of different representations. This work shows that, perhaps surprisingly, it is a 
non-trivial problem to prove the equivalence of different representations. 

What we have here is only a beginning, since we only consider and relate two 
rather similar representations. It would be interesting to carry out such equiva- 
lence proofs for other representations as well. It would also be very interesting 
to extend the present work to formalizations of dependent types. The long term 
goal is to get a library for proof theory which is elegant and flexible with respect 
to choice of representation. 
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